DNSSEC validation with dig
Fri 18 April 2014
you need a trust anchor. it should be provided in a file named trusted-key.key but in my debian locate trusted-key returns an empty answer. the /etc/bind/bind.keys seems to hold some trust anchors, but I donnot understand how it should be used. anyway, you can request the root dnskey and put theme in the file called trusted-key.key .
dig +nocomments +nostats +nocmd +noquestion -t dnskey . >> /etc/trusted-key.key just verify the keyx are OK. mine looks like: . 171512 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= . 171512 IN DNSKEY 256 3 8 AwEAAZvJd8ORk+jmZ41QMYbQ1XCpf60l6YJuHtnxn0VSh5a5vqwEjTST 3/PZ4xhUFu2YcTfRNWxs9WTiGZl3MY/UlBIvzpLhKgKnf9Vk8sEU3q0n mOGFgE6jTi/cU95ATU/2dTQovMDv9XyWvrmj8KIG2brj6mF4S8GTae6G 2GwbMF5v
The TTL (2nd field) does not matter, but the rest must be the same.
the +sigchase option of dig is correctly done and work as follow:
- fetch all needed material (dnskey, ds, and rrsig RR )
- perform validation (check the validity dnskey->[ds->dnskey]+->rr)
To test, I decided to fetch the MX record for www.example.com. I cut the output, there are many uninterresting stuff:
$ dig +sigchase mx www.example.com ;; NO ANSWERS: no more We want to prove the non-existence of a type of rdata 15 or of the zone: We have a NSEC for this zone :OK OK the NSEC said that the type doesn't exist prove_nx: OK type does not exist ;; An NSEC prove the non-existence of a answers, Now we want validate this NSEC [...] Launch query to find RRset of type [...] [...] ;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; VERIFYING NSEC RRset for www.example.com. with DNSKEY:6439: success ;; OK We found DNSKEY (or more) to validate the RRset ;; Now, we are going to validate this DNSKEY by the DS ;; OK a DS valids a DNSKEY in the RRset ;; Now verify that this DNSKEY validates the DNSKEY RRset ;; VERIFYING DNSKEY RRset for example.com. with DNSKEY:31589: success ;; OK this DNSKEY (validated by the DS) validates the RRset of the DNSKEYs, thus the DNSKEY validates the RRset ;; Now, we want to validate the DS : recursive call [...] ;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; VERIFYING DS RRset for com. with DNSKEY:40926: success ;; OK We found DNSKEY (or more) to validate the RRset ;; Ok, find a Trusted Key in the DNSKEY RRset: 40926 ;; Ok, find a Trusted Key in the DNSKEY RRset: 19036 ;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS for testing purpose, you can try a existent and correctly signed RR and a RR whose validation failed:
dig +sigchase A www.example.com dig +sigchase A www.dnssec-failed.org