[Bug 1406729] Re: dig does not have a default trusted key

[Charles Peters II]

I vote no, if someone is setting up or testing DNSSEC, let's not encourage them to use a broken dig option! 

I tried using the following command and dig core dumped.  Note: www is setup as a CNAME.  
dig +trusted-key=trusted-key.key +topdown +sigchase +multiline -ta www.tuxedo.net

I was wondering if I had done something wrong with DNSSEC...   But other tools show (I think) it looks ok.  
drill -TD -k ../trusted-key.key www.tuxedo.net   # See footnote 1
http://dnsviz.net/d/www.tuxedo.net/dnssec/

And some more digging and I found:
The option is not compiled in by default upstream because it is broken.  

See: 
https://lists.isc.org/pipermail/bind-users/2012-May/087779.html
https://lists.isc.org/pipermail/bind-users/2012-May/087781.html

dig +trusted-key=trusted-key.key +topdown +sigchase +multiline -ta com
...
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for com. with DNSKEY:30909: success

;; We are in a Grand Father Problem: See 2.2.1 in RFC 3568

;; ERROR : com. is not a subdomain of: com. FAILED

name.c:2151: REQUIRE(source->length > 0) failed, back trace
#0 0x7f1a1cda5954 in ??
#1 0x7f1a1cda58ba in ??
#2 0x7f1a1d4a7bdc in ??
#3 0x7f1a1dc45f72 in ??
#4 0x7f1a1dc48397 in ??
#5 0x7f1a1dc4a3d2 in ??
#6 0x7f1a1cdc7af6 in ??
#7 0x7f1a1cb80182 in ??
#8 0x7f1a1c8acefd in ??
Aborted (core dumped)

I also compiled bind-9.9.6-P1 to test if it was fixed in a newer
release, and it is still broken.

Footnote 1:
Note drill is currently part of ldnsutils package and not unbound.  https://www.nlnetlabs.nl/projects/drill/

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to bind9 in Ubuntu.
https://bugs.launchpad.net/bugs/1406729

Title:
  dig does not have a default trusted key

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1406729/+subscriptions