[Unbound-users] DNSSEC and traffic encryption questions

Jelte Jansen jelte.jansen at sidn.nl
Wed Feb 26 10:14:50 UTC 2014


Drill does not have a pre-configured or built-in trust anchor (e.g. the
root key); So the only thing it can say right now is that the crypto
*looks* ok, relative to the other records it finds, hence an [S] instead
of a [T].

If you pass it a key with -k it should print about the same, but with
[T] values.

$ drill -k ~/root.key -TD com. SOA

One insecure way to easily get the root key is ldns-keyfetcher -s (it
simply does a query and stores the result)

On 02/26/2014 10:03 AM, Beeblebrox wrote:
> Could someone tell me what this output means when checking dnssec
> status? Using dnscrypt-proxy as forward-zone, which in turn forwards
> to dnssec enabled resolver (176.56.237.171 holland)
> 
> $ drill -TD com. SOA
> Warning: No trusted keys were given. Will not be able to verify authenticity!
> ;; Domain: .
> ;; Signature ok but no chain to a trusted key or ds record
> [S] . 172800 IN DNSKEY 256 3 8 ;{id = 33655 (zsk), size = 1024b}
> . 172800 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), size = 2048b}
> Checking if signing key is trusted:
> New key: .    172800    IN    DNSKEY    256 3 8
> AwEAAb8sU6pbYMWRbkRnEuEZw9NSir707TkOcF+UL1XiK4NDJOvXRyX195Am5dQ7bRnnuySZ3daf37vvjUUhuIWUAQ4stht8nJfYxVQXDYjSpGH5I6Hf/0CZEoNP6cNvrQ7AFmKkmv00xWExKQjbvnRPI4bqpMwtHVzn6WybBZ6kuqED
> ;{id = 33655 (zsk), size = 1024b}
> [S] com. 86400 IN DS 30909 8 2
> e2d3c916f6deeac73294e8268fb5885044a833fc5459588f4a9184cfc41a5766
> ;; Domain: com.
> ;; Signature ok but no chain to a trusted key or ds record
> [S] com. 86400 IN DNSKEY 256 3 8 ;{id = 45932 (zsk), size = 1024b}
> com. 86400 IN DNSKEY 257 3 8 ;{id = 30909 (ksk), size = 2048b}
> [S] com.    900    IN    SOA    a.gtld-servers.net.
> nstld.verisign-grs.com. 1393405023 1800 900 604800 86400
> ;;[S] self sig OK; [B] bogus; [T] trusted
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
> 




More information about the Unbound-users mailing list