If you’re into DNSSEC, you’ll probably have to troubleshoot or at least to verify it. While there are some good online tools such as DNSViz, there is also a command-line tool to test DNSSEC signatures onsite: delv.
Citing the manpage again:
Without any options, delv outputs the A record and the corresponding RRSIG (if present), while it fully validates the DNSSEC signature. A simple call looks like this, while for IPv6 addresses you have to specify the type with AAAA. Note the “fully validated” line since the following hostnames are DNSSEC signed:
1 2 3 4 5 6 7 8 |
weberjoh@vm22-lx2:~$ delv @2001:470:765b::d034:53 lx.weberlab.de ; fully validated lx.weberlab.de. 54 IN A 193.24.227.230 lx.weberlab.de. 54 IN RRSIG A 10 3 60 20191118181337 20191019175246 36935 weberlab.de. O6uzfPD91EkCiPPYWrfAx3Jy9gjEUT5MwRqtGEjmqv90g6OaDqooMuZY cXe8Qtf9ZFrw7NRoBgK4BQec6lN3Qvg/ul7i4iXtX60TwnDm1QbvGBeP q2U6k9hhv2nEL646x0tDYbIkz1sCPbHxYTo8ARAZG4sI6aHU8POO2SOq FFfJOuRUTuKDWoinJ5qmxm75g3ZeqGAAWhTNsi/Ws2VBNAsMIR0EAe+s hrnmOpU83p+2zhaAFYltS3OdEmvjV1C5B+ncbl1TECREQ/zgrHTdJvoP Rn2twl1OvdWDGGtE6tufU+WfzKhI7IS0r2PAAlkYBw6mN1G2yuU3CBza 5BLnZA== weberjoh@vm22-lx2:~$ delv @2001:470:765b::d034:53 lx.weberlab.de aaaa ; fully validated lx.weberlab.de. 51 IN AAAA 2001:470:765b::b15:22 lx.weberlab.de. 51 IN RRSIG AAAA 10 3 60 20191118190408 20191019182659 36935 weberlab.de. B474s0nkDDNNTErDbN4iBVttagxt+Nj9yCSiPm3kfvuOKPwDoFQ9SjUU 1DrQ4/E5phz+eDrHZqM9PX37KtwKjos72mdddS0a7r2MsAUrNqGrVMeQ 5OqYMw+XWxN1mvCA4t1wn43z0T/WbAbekCL+hWV5qjW9Oe00wa1pqJRn rb+yijbYlwFom09UxHnBcN9w+tpHbr3ZdJXKOZCSp/6mJQXu+BSSTTji bki4dbbhR53Hm/NbIDYAnkp7hGX+PKmMz3mKCGGxfNcH4kF8J9d6NvxO P3EtR9169pQK3CJt7Oa4w7B4EEXhBe9m/GMIz1b7oSCj1/0AvuwEEzN+ L7dtKg== |
For hostnames that aren’t signed, delv outputs this “unsigned answer”:
1 2 3 4 5 6 |
weberjoh@vm22-lx2:~$ delv @2001:470:765b::d034:53 heise.de ; unsigned answer heise.de. 3200171710 IN A 193.99.144.80 weberjoh@vm22-lx2:~$ delv @2001:470:765b::d034:53 heise.de aaaa ; unsigned answer heise.de. 3200171710 IN AAAA 2a02:2e0:3fe:1001:302:: |
Traces
Now, this is what delv is about: a couple of trace options:
1 2 3 |
+[no]rtrace (Trace resolver fetches) +[no]mtrace (Trace messages received) +[no]vtrace (Trace validation process) |
+rtrace
Just to list all queried RRs; no further DNSSEC details:
1 2 3 4 5 6 7 8 9 10 |
weberjoh@vm22-lx2:~$ delv @2001:470:765b::d034:53 lx.weberlab.de +rtrace ;; fetch: lx.weberlab.de/A ;; fetch: weberlab.de/DNSKEY ;; fetch: weberlab.de/DS ;; fetch: de/DNSKEY ;; fetch: de/DS ;; fetch: ./DNSKEY ; fully validated lx.weberlab.de. 60 IN A 193.24.227.230 lx.weberlab.de. 60 IN RRSIG A 10 3 60 20191118181337 20191019175246 36935 weberlab.de. O6uzfPD91EkCiPPYWrfAx3Jy9gjEUT5MwRqtGEjmqv90g6OaDqooMuZY cXe8Qtf9ZFrw7NRoBgK4BQec6lN3Qvg/ul7i4iXtX60TwnDm1QbvGBeP q2U6k9hhv2nEL646x0tDYbIkz1sCPbHxYTo8ARAZG4sI6aHU8POO2SOq FFfJOuRUTuKDWoinJ5qmxm75g3ZeqGAAWhTNsi/Ws2VBNAsMIR0EAe+s hrnmOpU83p+2zhaAFYltS3OdEmvjV1C5B+ncbl1TECREQ/zgrHTdJvoP Rn2twl1OvdWDGGtE6tufU+WfzKhI7IS0r2PAAlkYBw6mN1G2yuU3CBza 5BLnZA== |
+mtrace
Caution: Same as rtrace but with the full content of all RRs:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 |
weberjoh@vm22-lx2:~$ delv @2001:470:765b::d034:53 lx.weberlab.de +mtrace ;; fetch: lx.weberlab.de/A ;; received packet from 2001:470:765b::d034:53#53 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30196 ;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: 2a7668e6bc6d6f32b9ea8d845dbadf330310da784b848967 ;; QUESTION SECTION: ;lx.weberlab.de. IN A ;; ANSWER SECTION: ;lx.weberlab.de. 60 IN A 193.24.227.230 ;lx.weberlab.de. 60 IN RRSIG A 10 3 60 ( ; 20191118181337 20191019175246 36935 weberlab.de. ; O6uzfPD91EkCiPPYWrfAx3Jy9gjE ; UT5MwRqtGEjmqv90g6OaDqooMuZY ; cXe8Qtf9ZFrw7NRoBgK4BQec6lN3 ; Qvg/ul7i4iXtX60TwnDm1QbvGBeP ; q2U6k9hhv2nEL646x0tDYbIkz1sC ; PbHxYTo8ARAZG4sI6aHU8POO2SOq ; FFfJOuRUTuKDWoinJ5qmxm75g3Ze ; qGAAWhTNsi/Ws2VBNAsMIR0EAe+s ; hrnmOpU83p+2zhaAFYltS3OdEmvj ; V1C5B+ncbl1TECREQ/zgrHTdJvoP ; Rn2twl1OvdWDGGtE6tufU+WfzKhI ; 7IS0r2PAAlkYBw6mN1G2yuU3CBza ; 5BLnZA== ) ;; fetch: weberlab.de/DNSKEY ;; received packet from 2001:470:765b::d034:53#53 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54483 ;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: 2a7668e6bc6d6f32690cb5845dbadf34bcae2714094a31c6 ;; QUESTION SECTION: ;weberlab.de. IN DNSKEY ;; ANSWER SECTION: ;weberlab.de. 59 IN DNSKEY 257 3 10 ( ; AwEAAd3v/e0irXYKOwtYEB3VPe7z ; 99qvi5le9/y1XXyplp5y/5xaqrm/ ; relG8pgx8GsNW2IgviJKAJ6UiU45 ; ERKoH+fz2qf2SUFHFWwkweiWyLZ4 ; EZHhowviCEx94P4OswNKXmdYHe38 ; rlHPa+3OypW9gYfR9lhCKK3neCPq ; 8/aFFsTTI7dQ+Q2kERWiCMCybl4W ; OwsBo/RlnPM4yufMKIlABiM5NWQP ; NmI6jYzAYpYoyUhd9HnnIIDlNQ89 ; HpXQdFmysMraXYb7qDOoOEiOodtt ; KH0y/vtJ2SRU05RF4AEumacIUzAi ; 5LL2cMQxC7t7rlDI4X42NRfOLAqG ; uOeclFjzqz3OdAJWeg/AAnSbb02A ; GCkQ370TX1hWveAXt6xpPWOLgHXS ; LIF/lz+wl+Dm8ZNWDnn5zEJuEj3x ; ova1g8zmRXJOmqA6VhGqewxF8c+y ; KeNEOHz4X4/RLmWHIuEbvboP00Dk ; 5A9bhyZGVsytOJg+NwhFQtvBWLmD ; 82FFtfSt2vmbFFNwAZOnRZWJOG9L ; 7TFcGIm1OEULmohUyFLsBGMXDFOu ; 1k0o6pqm495tsBuMyJNpfdQoPwOk ; UpsKi6jmNq6vRjvvNiJbcFylTQrq ; HGTGuOopuUsBbUXj/nOr4I6j42k6 ; GDIuTyLDkaVrdrxXmGnfNnStdqWm ; vHXo/YFwdls9bcT7 ; ) ; KSK; alg = RSASHA512 ; key id = 13179 ;weberlab.de. 59 IN DNSKEY 256 3 10 ( ; AwEAAdBU3CjxUKw7SeYza7cxyq/X ; g3znVQsMzuF/UeLaigOubtJHhxhL ; +m129IxQkTKo8JRIXcKXD+aVizti ; ml8+8BPCXFNPftFpdFCzBRNGHj/c ; a1g/Flck6v5avafB/hGqbWKY2LEG ; Kb5ktYWGj8JB0mrKGqDZVPyieC0d ; YVv02iOaOvUhdl7QtgVybR3V6gHl ; hoG0BxG+GbjUp+NyPClbuMOIwflb ; VGB5946PyQGQgnGNX2L1MHumOaYC ; /D3UnyzQZNMmqj85GwDNPwEeDfLq ; 6wm1BUfx7MwwcEVuO2B0YmUyiPiS ; fUoGTwm2P1nGNMhlYij3bY9VvyxC ; qPQnK0s5Tr0= ; ) ; ZSK; alg = RSASHA512 ; key id = 36935 ;weberlab.de. 59 IN RRSIG DNSKEY 10 2 60 ( ; 20191118174444 20191019171548 13179 weberlab.de. ; jyokkdFxqKkmRbjWJlAJXV9T+yZ7 ; se5wtJadV1NH8OsWZfLO35thOQVR ; c5ohF7IiS5wSokTou1UGF2o9tZYO ; Kq+VCxpw2o+jWoPPss+e2AVVVjdE ; 5dqTf4cF5WItPoqOyTthO2/QUPB4 ; wJcPXBSH0PkiAhfsJZ5Ijc1dsY8V ; lwioaaIJwQuGILGzhNzqBJbQFMHd ; 63gt/BIVk9OPRomG2Syvp9hiIAid ; PJRrRK05XNzH994L6aBwAwh44H1I ; KUl5BTgQcOpUoTEBt/3ilQeZ+qn/ ; oa9GTGM1mUenlbNytZvm4iSS0ty7 ; X1uEusyfOp5wkDQCOafjSDL6j3DY ; u3y4E1Oe33F8/yqWFfdW/q1yPhXf ; GjP4SxF0NwRbfUgUTFIHHqs5W107 ; VlXOgQgzw61cBE0pTSxbj/CEt5m0 ; VRsPterEPvnL4ZKcdNQ//f1ekMxu ; vIL1n/Yu99lYhM1zIsnRBCj35mLQ ; nDVyzHnQZNhjrrPPPBBBlS9eDs1u ; 0jCXruo5fbbkzjhYFKPBTKsYPm8Q ; 0hj4c5UU5NDCHTMNIwFV3Pxs9/Hx ; eFswh5nsmZ0LAbhVnqNx+wvHwE1A ; +v337G3t1Ze8X8UNwY7qD/aTdqr3 ; YE8k8QlWXXWhCrM9uoifgCPbTsvQ ; cMsf+AR7+Fe6Gnpkk0VtBAAK1c39 ; 7MP7EfveDrM= ) ;weberlab.de. 59 IN RRSIG DNSKEY 10 2 60 ( ; 20191118174444 20191019171548 36935 weberlab.de. ; MJBQuD2M2bShRuzeYqFkt9YxirqJ ; VaVgedU71a19Di8xaVoQ5DWIyVjM ; rta5018E25Cc9TfULoTUUExx/1h/ ; 5akGteAw127d0AGyxG7Biw4+6CHl ; h9Speqwh90xv4JEwRgvpQAKo5HI7 ; 0Q33Rq6y2E640nvjnXDkyjRGKfEN ; /DZDnMT8jfau2nQhH5pYe2UooDRy ; J0P0WB7yoSCTa/HvvLcBdKhqg5FR ; k6TKhOGUZId/T7iKYKWjAiihPZJ6 ; B0kY/4ge7Aj1m2F+nrSiDGEWNLHS ; zI8q2nhCtSSo1LcJbjslhh66hGDr ; cZpPOvpGzitDWoyHVEG/xcvOD8wx ; r9yCDQ== ) ;; fetch: weberlab.de/DS ;; received packet from 2001:470:765b::d034:53#53 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37362 ;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: 2a7668e6bc6d6f32bf43dcfa5dbadf34d207d999ffa06faa ;; QUESTION SECTION: ;weberlab.de. IN DS ;; ANSWER SECTION: ;weberlab.de. 84390 IN DS 13179 10 2 ( ; 1D2907B0240797CA97339E036C76 ; 52923C768CB80241E13139BFB4B9 ; C7359D1C ) ;weberlab.de. 84390 IN RRSIG DS 8 2 86400 ( ; 20191107110105 20191031110105 26008 de. ; rcpt+LH1xg05q2MPGLTQFA/SF99g ; vU4yxPFlve3IW8t7A/oXLEhcTCAn ; 6dFSS3THTZS8GA3pJaT/OC820uRZ ; kgFTJwXUDyha+pUV7FvnDNQ+rv+2 ; YHJa28obiRnn0MVOz5fiotj9DtxH ; 5AMCPmZR+85w8O/+Q93lOWd8Fz8+ ; tJc= ) ;; fetch: de/DNSKEY ;; received packet from 2001:470:765b::d034:53#53 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4031 ;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: 2a7668e6bc6d6f32bafb68f85dbadf34185cf94965959e46 ;; QUESTION SECTION: ;de. IN DNSKEY ;; ANSWER SECTION: ;de. 5177 IN DNSKEY 257 3 8 ( ; AwEAAaZEsxM26e8MgLuWsLAeRd7B ; zNdJjvhfGbqQ1xxtYd4TPPqYr7Qc ; K9Em18VyYEnjqXOqVWBuOhCWnrij ; P5GiumIliap+LerHjTk3QCgim1qv ; w3k7UFOgwMe8yOl7hghG8Nbgw6Un ; VfmUD71TaGSwj1C5EO2guiXZkFPU ; p2UzmUmoe5EWwtzCni7L0RDl5MaR ; VhjUBEkPrAVI603GDTuwtRKZLTiy ; fc3Qmq/u83/6Knxot5pHp3reRcsp ; 0vk2G+RQubgDKsmaXCql4mPzR911 ; Di68vwbBfSyLZ0EOwVkrO7VJgr/R ; JJ37JlydfQfGmQ3Dkvw1h8ifZhRC ; 8oOkv8ynUXM= ; ) ; KSK; alg = RSASHA256 ; key id = 39227 ;de. 5177 IN DNSKEY 256 3 8 ( ; AwEAAcL2Tu+smk2pM7O8uWv0rOwY ; vqq6KHOtvek7IXi3wylUOV8K0jmi ; kKI5VoFCQ1DK4CgZzL3B0R1BSUbJ ; hz6onfnHQo2yK21JYaejwEojT2Ny ; hWYkzd3MPRePKlkxJ2iiytyoytlw ; wCBzqBRuMqb77YS03k6pyhw4OUTb ; Ll8zh2jP ; ) ; ZSK; alg = RSASHA256 ; key id = 26008 ;de. 5177 IN RRSIG DNSKEY 8 1 7200 ( ; 20191121120000 20191031120000 39227 de. ; aTHqfYkXo4meuL0wqfxFW4ctium/ ; ihWEFDAhrYTCN2Mgj+6sXLvsqn9D ; zkRKFRsFjT4pEeH90yA+MPL3fmbn ; RYok1mOT7LHFGBPHGOKVR8VGgC6Q ; RHiPWX0q1DhXe+EFl2Fa/h4YAY6N ; BrYStjPVUJZR5Slo0lCLYrZ/V1hE ; mQ6QAPjEEWxvbWm5R+NlTFmqPbBx ; Ut7q4Re9cq6u7F+bpK8LkgbXurX6 ; Jm0XmAkJUeNd0eeyoJ3toU4xK1PW ; /R6gdCmsFT3lokWqUyz2gCRJKUu/ ; T1Fy5YN27g6KHULfwba2OwOAxuxC ; TlrWMJXYjLWpL0zbbhDsPeS816N9 ; KKxdlA== ) ;; fetch: de/DS ;; received packet from 2001:470:765b::d034:53#53 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23429 ;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: 2a7668e6bc6d6f32d8fa52405dbadf347d3a280df7e6c4de ;; QUESTION SECTION: ;de. IN DS ;; ANSWER SECTION: ;de. 84377 IN DS 45580 8 2 ( ; 918C32E2F12211766BE6226674F4 ; 47458F2259B9A0D87B44D29D55AF ; ECA6B2E1 ) ;de. 84377 IN DS 39227 8 2 ( ; AAB73083B9EF70E4A5E94769A418 ; AC12E887FC3C0875EF206C3451DC ; 40B6C4FA ) ;de. 84377 IN RRSIG DS 8 1 86400 ( ; 20191113050000 20191031040000 22545 . ; EF5lH/f+m6Ii8dC7XbHruYqZI5mX ; xZXfM4dLU+f04hvHZXNoAwgn9BIv ; Zeka5OkSd2TahwNC5WZDhemdc6hV ; aI32wsnwNAfcHw45ehoWuNLK/pem ; iyCKrDG2l1baHFFXM7YdwKqcBqVI ; 54k9AClB2MmnisuR+9Fr6WaZRHjI ; 24QLYajONGOaEX1Q4U3LhQrUtzhM ; Qx7dmaqYVDXvKMKtWV+Xprkxr8kx ; pKpAyKjE/P+WTiFij5LcSvKBQMBm ; uF+ZcG/Gec4qNaVYxTnFuaFde6A3 ; gCfCBB8C4lpWnK2YSUlF1DWYm1Lj ; aBt1KAoSP++MYXSp8XdDo2plCo3n ; bdzzvA== ) ;; fetch: ./DNSKEY ;; received packet from 2001:470:765b::d034:53#53 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41299 ;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: 2a7668e6bc6d6f32f4b05fc35dbadf343914babf37d03ad8 ;; QUESTION SECTION: ;. IN DNSKEY ;; ANSWER SECTION: ;. 170776 IN DNSKEY 256 3 8 ( ; AwEAAbPwrxwtOMENWvblQbUFwBll ; R7ZtXsu9rg/LdyklKs9gU2GQTeOc ; 59XjhuAPZ4WrT09z6YPL+vzIIJqn ; G3Hiru7hFUQ4pH0qsLNxrsuZrZYm ; XAKoVa9SXL1Ap0LygwrIugEk1G4v ; 7Rk/Alt1jLUIE+ZymGtSEhIuGQdX ; rEmj3ffzXY13H42X4Ja3vJTn/WIQ ; OXY7vwHXGDypSh9j0Tt0hknF1yVJ ; CrIpfkhFWihMKNdMzMprD4bV+PDL ; RA5YSn3OPIeUnRn9qBUCN11LXQKb ; +W3Jg+m/5xQRQJzJ/qXgDh1+aN+M ; c9AstP29Y/ZLFmF6cKtL2zoUMN5I ; 5QymeSkJJzc= ; ) ; ZSK; alg = RSASHA256 ; key id = 22545 ;. 170776 IN DNSKEY 257 3 8 ( ; AwEAAaz/tAm8yTn4Mfeh5eyI96WS ; VexTBAvkMgJzkKTOiW1vkIbzxeF3 ; +/4RgWOq7HrxRixHlFlExOLAJr5e ; mLvN7SWXgnLh4+B5xQlNVz8Og8kv ; ArMtNROxVQuCaSnIDdD5LKyWbRd2 ; n9WGe2R8PzgCmr3EgVLrjyBxWezF ; 0jLHwVN8efS3rCj/EWgvIWgb9tar ; pVUDK/b58Da+sqqls3eNbuv7pr+e ; oZG+SrDK6nWeL3c6H5Apxz7LjVc1 ; uTIdsIXxuOLYA4/ilBmSVIzuDWfd ; RUfhHdY6+cn8HFRm+2hM8AnXGXws ; 9555KrUB5qihylGa8subX2Nn6UwN ; R1AkUTV74bU= ; ) ; KSK; alg = RSASHA256 ; key id = 20326 ;. 170776 IN RRSIG DNSKEY 8 0 172800 ( ; 20191121000000 20191031000000 20326 . ; TrhgwZ2wM8eoVzdemdBjxrfDIh9Q ; fB6P2xlnKASTcqUAWzmseM3Jpte4 ; P0g2tINZEur+Wkto30pfg1J/YUK9 ; Cofy8xz8tz5yqtDJ+qMyiZsfnxRd ; vkhtPgKnQnnxm07j4VBQVS5ubwCK ; 4ByPa27uc/bOxpG8bETvhNXc1jjt ; 5+j84+G+2m7cx2IoRsSNxTORDV/p ; FPRbE7Dh87H1gqkAQ9gDQ1VpVW9w ; 6qX93Mnh2+/cW9o8g88Nvt+F77Kd ; c7fn2JDiy1XIk/wJC6Eu3uRNpGVL ; HtL1APfrG4/qkfOVABx0rhPUwbTe ; FmMG3YCcapHp3+JibiCjTsQZJtCz ; YyRnIw== ) ; fully validated lx.weberlab.de. 60 IN A 193.24.227.230 lx.weberlab.de. 60 IN RRSIG A 10 3 60 20191118181337 20191019175246 36935 weberlab.de. O6uzfPD91EkCiPPYWrfAx3Jy9gjEUT5MwRqtGEjmqv90g6OaDqooMuZY cXe8Qtf9ZFrw7NRoBgK4BQec6lN3Qvg/ul7i4iXtX60TwnDm1QbvGBeP q2U6k9hhv2nEL646x0tDYbIkz1sCPbHxYTo8ARAZG4sI6aHU8POO2SOq FFfJOuRUTuKDWoinJ5qmxm75g3ZeqGAAWhTNsi/Ws2VBNAsMIR0EAe+s hrnmOpU83p+2zhaAFYltS3OdEmvjV1C5B+ncbl1TECREQ/zgrHTdJvoP Rn2twl1OvdWDGGtE6tufU+WfzKhI7IS0r2PAAlkYBw6mN1G2yuU3CBza 5BLnZA== |
+vtrace
Here we go: Tracing the validation process with many additional notes on how this process occurs. A DNSSEC signed hostname looks like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
weberjoh@vm22-lx2:~$ delv @2001:470:765b::d034:53 lx.weberlab.de +vtrace ;; fetch: lx.weberlab.de/A ;; validating lx.weberlab.de/A: starting ;; validating lx.weberlab.de/A: attempting positive response validation ;; fetch: weberlab.de/DNSKEY ;; validating weberlab.de/DNSKEY: starting ;; validating weberlab.de/DNSKEY: attempting positive response validation ;; fetch: weberlab.de/DS ;; validating weberlab.de/DS: starting ;; validating weberlab.de/DS: attempting positive response validation ;; fetch: de/DNSKEY ;; validating de/DNSKEY: starting ;; validating de/DNSKEY: attempting positive response validation ;; fetch: de/DS ;; validating de/DS: starting ;; validating de/DS: attempting positive response validation ;; fetch: ./DNSKEY ;; validating ./DNSKEY: starting ;; validating ./DNSKEY: attempting positive response validation ;; validating ./DNSKEY: verify rdataset (keyid=20326): success ;; validating ./DNSKEY: signed by trusted key; marking as secure ;; validating de/DS: in fetch_callback_validator ;; validating de/DS: keyset with trust secure ;; validating de/DS: resuming validate ;; validating de/DS: verify rdataset (keyid=22545): success ;; validating de/DS: marking as secure, noqname proof not needed ;; validating de/DNSKEY: in dsfetched ;; validating de/DNSKEY: dsset with trust secure ;; validating de/DNSKEY: verify rdataset (keyid=39227): success ;; validating de/DNSKEY: marking as secure (DS) ;; validating weberlab.de/DS: in fetch_callback_validator ;; validating weberlab.de/DS: keyset with trust secure ;; validating weberlab.de/DS: resuming validate ;; validating weberlab.de/DS: verify rdataset (keyid=26008): success ;; validating weberlab.de/DS: marking as secure, noqname proof not needed ;; validating weberlab.de/DNSKEY: in dsfetched ;; validating weberlab.de/DNSKEY: dsset with trust secure ;; validating weberlab.de/DNSKEY: verify rdataset (keyid=13179): success ;; validating weberlab.de/DNSKEY: marking as secure (DS) ;; validating lx.weberlab.de/A: in fetch_callback_validator ;; validating lx.weberlab.de/A: keyset with trust secure ;; validating lx.weberlab.de/A: resuming validate ;; validating lx.weberlab.de/A: verify rdataset (keyid=36935): success ;; validating lx.weberlab.de/A: marking as secure, noqname proof not needed ; fully validated lx.weberlab.de. 60 IN A 193.24.227.230 lx.weberlab.de. 60 IN RRSIG A 10 3 60 20191118181337 20191019175246 36935 weberlab.de. O6uzfPD91EkCiPPYWrfAx3Jy9gjEUT5MwRqtGEjmqv90g6OaDqooMuZY cXe8Qtf9ZFrw7NRoBgK4BQec6lN3Qvg/ul7i4iXtX60TwnDm1QbvGBeP q2U6k9hhv2nEL646x0tDYbIkz1sCPbHxYTo8ARAZG4sI6aHU8POO2SOq FFfJOuRUTuKDWoinJ5qmxm75g3ZeqGAAWhTNsi/Ws2VBNAsMIR0EAe+s hrnmOpU83p+2zhaAFYltS3OdEmvjV1C5B+ncbl1TECREQ/zgrHTdJvoP Rn2twl1OvdWDGGtE6tufU+WfzKhI7IS0r2PAAlkYBw6mN1G2yuU3CBza 5BLnZA== |
An unsigned hostname like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 |
weberjoh@vm22-lx2:~$ delv @2001:470:765b::d034:53 heise.de +vtrace ;; fetch: heise.de/A ;; validating heise.de/A: starting ;; validating heise.de/A: attempting insecurity proof ;; validating heise.de/A: checking existence of DS at 'de' ;; fetch: de/DS ;; validating de/DS: starting ;; validating de/DS: attempting positive response validation ;; fetch: ./DNSKEY ;; validating ./DNSKEY: starting ;; validating ./DNSKEY: attempting positive response validation ;; validating ./DNSKEY: verify rdataset (keyid=20326): success ;; validating ./DNSKEY: signed by trusted key; marking as secure ;; validating de/DS: in fetch_callback_validator ;; validating de/DS: keyset with trust secure ;; validating de/DS: resuming validate ;; validating de/DS: verify rdataset (keyid=22545): success ;; validating de/DS: marking as secure, noqname proof not needed ;; validating heise.de/A: in dsfetched2: success ;; validating heise.de/A: resuming proveunsecure ;; validating heise.de/A: checking existence of DS at 'heise.de' ;; fetch: heise.de/DS ;; validating heise.de/DS: starting ;; validating heise.de/DS: attempting negative response validation ;; validating de/SOA: starting ;; validating de/SOA: attempting positive response validation ;; fetch: de/DNSKEY ;; validating de/DNSKEY: starting ;; validating de/DNSKEY: attempting positive response validation ;; validating de/DNSKEY: verify rdataset (keyid=39227): success ;; validating de/DNSKEY: marking as secure (DS) ;; validating de/SOA: in fetch_callback_validator ;; validating de/SOA: keyset with trust secure ;; validating de/SOA: resuming validate ;; validating de/SOA: verify rdataset (keyid=26008): success ;; validating de/SOA: marking as secure, noqname proof not needed ;; validating heise.de/DS: in authvalidated ;; validating heise.de/DS: resuming nsecvalidate ;; validating h319dm5gc3edek691vqbhehot7vggj2b.de/NSEC3: starting ;; validating h319dm5gc3edek691vqbhehot7vggj2b.de/NSEC3: attempting positive response validation ;; validating h319dm5gc3edek691vqbhehot7vggj2b.de/NSEC3: keyset with trust secure ;; validating h319dm5gc3edek691vqbhehot7vggj2b.de/NSEC3: verify rdataset (keyid=26008): success ;; validating h319dm5gc3edek691vqbhehot7vggj2b.de/NSEC3: marking as secure, noqname proof not needed ;; validating heise.de/DS: in authvalidated ;; validating heise.de/DS: resuming nsecvalidate ;; validating umuntapqo13nesn6k3fa655agu3icvln.de/NSEC3: starting ;; validating umuntapqo13nesn6k3fa655agu3icvln.de/NSEC3: attempting positive response validation ;; validating umuntapqo13nesn6k3fa655agu3icvln.de/NSEC3: keyset with trust secure ;; validating umuntapqo13nesn6k3fa655agu3icvln.de/NSEC3: verify rdataset (keyid=26008): success ;; validating umuntapqo13nesn6k3fa655agu3icvln.de/NSEC3: marking as secure, noqname proof not needed ;; validating heise.de/DS: in authvalidated ;; validating heise.de/DS: resuming nsecvalidate ;; validating heise.de/DS: looking for relevant NSEC3 ;; validating heise.de/DS: looking for relevant NSEC3 ;; validating heise.de/DS: looking for relevant NSEC3 ;; validating heise.de/DS: NSEC3 indicates potential closest encloser: 'de' ;; validating heise.de/DS: NSEC3 at super-domain de ;; validating heise.de/DS: looking for relevant NSEC3 ;; validating heise.de/DS: NSEC3 proves name does not exist: 'heise.de' ;; validating heise.de/DS: NSEC3 indicates optout ;; validating heise.de/DS: in checkwildcard: *.de ;; validating heise.de/DS: looking for relevant NSEC3 ;; validating heise.de/DS: NSEC3 at super-domain de ;; validating heise.de/DS: looking for relevant NSEC3 ;; validating heise.de/DS: in checkwildcard: *.de ;; validating heise.de/DS: nonexistence proof(s) found ;; validating heise.de/A: in dsfetched2: ncache nxrrset ;; validating heise.de/A: marking as answer (dsfetched2) ; unsigned answer heise.de. 3200171710 IN A 193.99.144.80 |
And finally, a failure in DNSSEC:
1 2 3 |
weberjoh@vm22-lx2:~$ delv @2001:470:765b::d034:53 fail01.dnssec.works +vtrace ;; fetch: fail01.dnssec.works/A ;; resolution failed: timed out |
Uh. What has happened? My recursive DNS server *does* DNSSEC validation as well, hence delve is unable to query it for falsified records. Unluckily, you can’t set the cd bit (checking disabled) for delv requests. (Why?!? This would be that useful for troubleshooting!)
Depending on the failure, delv gives you appropriate notes, such as “insecurity proof failed” [corresponding DNSViz breakdown]:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 |
weberjoh@vm22-lx2:~$ delv @2620:fe::10 fail01.dnssec.works +vtrace ;; fetch: fail01.dnssec.works/A ;; validating fail01.dnssec.works/A: starting ;; validating fail01.dnssec.works/A: attempting insecurity proof ;; validating fail01.dnssec.works/A: checking existence of DS at 'works' ;; fetch: works/DS ;; validating works/DS: starting ;; validating works/DS: attempting positive response validation ;; fetch: ./DNSKEY ;; validating ./DNSKEY: starting ;; validating ./DNSKEY: attempting positive response validation ;; validating ./DNSKEY: verify rdataset (keyid=20326): success ;; validating ./DNSKEY: signed by trusted key; marking as secure ;; validating works/DS: in fetch_callback_validator ;; validating works/DS: keyset with trust secure ;; validating works/DS: resuming validate ;; validating works/DS: verify rdataset (keyid=22545): success ;; validating works/DS: marking as secure, noqname proof not needed ;; validating fail01.dnssec.works/A: in dsfetched2: success ;; validating fail01.dnssec.works/A: resuming proveunsecure ;; validating fail01.dnssec.works/A: checking existence of DS at 'dnssec.works' ;; fetch: dnssec.works/DS ;; validating dnssec.works/DS: starting ;; validating dnssec.works/DS: attempting positive response validation ;; fetch: works/DNSKEY ;; validating works/DNSKEY: starting ;; validating works/DNSKEY: attempting positive response validation ;; validating works/DNSKEY: verify rdataset (keyid=37354): success ;; validating works/DNSKEY: marking as secure (DS) ;; validating dnssec.works/DS: in fetch_callback_validator ;; validating dnssec.works/DS: keyset with trust secure ;; validating dnssec.works/DS: resuming validate ;; validating dnssec.works/DS: verify rdataset (keyid=21105): success ;; validating dnssec.works/DS: marking as secure, noqname proof not needed ;; validating fail01.dnssec.works/A: in dsfetched2: success ;; validating fail01.dnssec.works/A: resuming proveunsecure ;; validating fail01.dnssec.works/A: checking existence of DS at 'fail01.dnssec.works' ;; fetch: fail01.dnssec.works/DS ;; validating fail01.dnssec.works/DS: starting ;; validating fail01.dnssec.works/DS: attempting positive response validation ;; fetch: dnssec.works/DNSKEY ;; validating dnssec.works/DNSKEY: starting ;; validating dnssec.works/DNSKEY: attempting positive response validation ;; validating dnssec.works/DNSKEY: verify rdataset (keyid=41779): success ;; validating dnssec.works/DNSKEY: marking as secure (DS) ;; validating fail01.dnssec.works/DS: in fetch_callback_validator ;; validating fail01.dnssec.works/DS: keyset with trust secure ;; validating fail01.dnssec.works/DS: resuming validate ;; validating fail01.dnssec.works/DS: verify rdataset (keyid=63306): success ;; validating fail01.dnssec.works/DS: marking as secure, noqname proof not needed ;; validating fail01.dnssec.works/A: in dsfetched2: success ;; validating fail01.dnssec.works/A: resuming proveunsecure ;; validating fail01.dnssec.works/A: insecurity proof failed ;; insecurity proof failed resolving 'fail01.dnssec.works/A/IN': 2620:fe::10#53 ;; resolution failed: insecurity proof failed |
or “RRSIG has expired” [corresponding DNSViz breakdown]:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 |
weberjoh@vm22-lx2:~$ delv @2620:fe::10 fail02.dnssec.works +vtrace ;; fetch: fail02.dnssec.works/A ;; validating fail02.dnssec.works/A: starting ;; validating fail02.dnssec.works/A: attempting positive response validation ;; fetch: fail02.dnssec.works/DNSKEY ;; validating fail02.dnssec.works/DNSKEY: starting ;; validating fail02.dnssec.works/DNSKEY: attempting positive response validation ;; fetch: fail02.dnssec.works/DS ;; validating fail02.dnssec.works/DS: starting ;; validating fail02.dnssec.works/DS: attempting positive response validation ;; fetch: dnssec.works/DNSKEY ;; validating dnssec.works/DNSKEY: starting ;; validating dnssec.works/DNSKEY: attempting positive response validation ;; fetch: dnssec.works/DS ;; validating dnssec.works/DS: starting ;; validating dnssec.works/DS: attempting positive response validation ;; fetch: works/DNSKEY ;; validating works/DNSKEY: starting ;; validating works/DNSKEY: attempting positive response validation ;; fetch: works/DS ;; validating works/DS: starting ;; validating works/DS: attempting positive response validation ;; fetch: ./DNSKEY ;; validating ./DNSKEY: starting ;; validating ./DNSKEY: attempting positive response validation ;; validating ./DNSKEY: verify rdataset (keyid=20326): success ;; validating ./DNSKEY: signed by trusted key; marking as secure ;; validating works/DS: in fetch_callback_validator ;; validating works/DS: keyset with trust secure ;; validating works/DS: resuming validate ;; validating works/DS: verify rdataset (keyid=22545): success ;; validating works/DS: marking as secure, noqname proof not needed ;; validating works/DNSKEY: in dsfetched ;; validating works/DNSKEY: dsset with trust secure ;; validating works/DNSKEY: verify rdataset (keyid=37354): success ;; validating works/DNSKEY: marking as secure (DS) ;; validating dnssec.works/DS: in fetch_callback_validator ;; validating dnssec.works/DS: keyset with trust secure ;; validating dnssec.works/DS: resuming validate ;; validating dnssec.works/DS: verify rdataset (keyid=21105): success ;; validating dnssec.works/DS: marking as secure, noqname proof not needed ;; validating dnssec.works/DNSKEY: in dsfetched ;; validating dnssec.works/DNSKEY: dsset with trust secure ;; validating dnssec.works/DNSKEY: verify rdataset (keyid=41779): success ;; validating dnssec.works/DNSKEY: marking as secure (DS) ;; validating fail02.dnssec.works/DS: in fetch_callback_validator ;; validating fail02.dnssec.works/DS: keyset with trust secure ;; validating fail02.dnssec.works/DS: resuming validate ;; validating fail02.dnssec.works/DS: verify rdataset (keyid=63306): success ;; validating fail02.dnssec.works/DS: marking as secure, noqname proof not needed ;; validating fail02.dnssec.works/DNSKEY: in dsfetched ;; validating fail02.dnssec.works/DNSKEY: dsset with trust secure ;; validating fail02.dnssec.works/DNSKEY: verify failed due to bad signature (keyid=2536): RRSIG has expired ;; validating fail02.dnssec.works/DNSKEY: no RRSIG matching DS key ;; validating fail02.dnssec.works/DNSKEY: no valid signature found (DS) ;; no valid RRSIG resolving 'fail02.dnssec.works/DNSKEY/IN': 2620:fe::10#53 ;; validating fail02.dnssec.works/A: in fetch_callback_validator ;; validating fail02.dnssec.works/A: fetch_callback_validator: got SERVFAIL ;; broken trust chain resolving 'fail02.dnssec.works/A/IN': 2620:fe::10#53 ;; resolution failed: broken trust chain |
or “RRSIG failed to verify” [corresponding DNSViz breakdown]:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 |
weberjoh@vm22-lx2:~$ delv @2620:fe::10 fail03.dnssec.works +vtrace ;; fetch: fail03.dnssec.works/A ;; validating fail03.dnssec.works/A: starting ;; validating fail03.dnssec.works/A: attempting positive response validation ;; fetch: fail03.dnssec.works/DNSKEY ;; validating fail03.dnssec.works/DNSKEY: starting ;; validating fail03.dnssec.works/DNSKEY: attempting positive response validation ;; fetch: fail03.dnssec.works/DS ;; validating fail03.dnssec.works/DS: starting ;; validating fail03.dnssec.works/DS: attempting positive response validation ;; fetch: dnssec.works/DNSKEY ;; validating dnssec.works/DNSKEY: starting ;; validating dnssec.works/DNSKEY: attempting positive response validation ;; fetch: dnssec.works/DS ;; validating dnssec.works/DS: starting ;; validating dnssec.works/DS: attempting positive response validation ;; fetch: works/DNSKEY ;; validating works/DNSKEY: starting ;; validating works/DNSKEY: attempting positive response validation ;; fetch: works/DS ;; validating works/DS: starting ;; validating works/DS: attempting positive response validation ;; fetch: ./DNSKEY ;; validating ./DNSKEY: starting ;; validating ./DNSKEY: attempting positive response validation ;; validating ./DNSKEY: verify rdataset (keyid=20326): success ;; validating ./DNSKEY: signed by trusted key; marking as secure ;; validating works/DS: in fetch_callback_validator ;; validating works/DS: keyset with trust secure ;; validating works/DS: resuming validate ;; validating works/DS: verify rdataset (keyid=22545): success ;; validating works/DS: marking as secure, noqname proof not needed ;; validating works/DNSKEY: in dsfetched ;; validating works/DNSKEY: dsset with trust secure ;; validating works/DNSKEY: verify rdataset (keyid=37354): success ;; validating works/DNSKEY: marking as secure (DS) ;; validating dnssec.works/DS: in fetch_callback_validator ;; validating dnssec.works/DS: keyset with trust secure ;; validating dnssec.works/DS: resuming validate ;; validating dnssec.works/DS: verify rdataset (keyid=21105): success ;; validating dnssec.works/DS: marking as secure, noqname proof not needed ;; validating dnssec.works/DNSKEY: in dsfetched ;; validating dnssec.works/DNSKEY: dsset with trust secure ;; validating dnssec.works/DNSKEY: verify rdataset (keyid=41779): success ;; validating dnssec.works/DNSKEY: marking as secure (DS) ;; validating fail03.dnssec.works/DS: in fetch_callback_validator ;; validating fail03.dnssec.works/DS: keyset with trust secure ;; validating fail03.dnssec.works/DS: resuming validate ;; validating fail03.dnssec.works/DS: verify rdataset (keyid=63306): success ;; validating fail03.dnssec.works/DS: marking as secure, noqname proof not needed ;; validating fail03.dnssec.works/DNSKEY: in dsfetched ;; validating fail03.dnssec.works/DNSKEY: dsset with trust secure ;; validating fail03.dnssec.works/DNSKEY: verify rdataset (keyid=4699): success ;; validating fail03.dnssec.works/DNSKEY: marking as secure (DS) ;; validating fail03.dnssec.works/A: in fetch_callback_validator ;; validating fail03.dnssec.works/A: keyset with trust secure ;; validating fail03.dnssec.works/A: resuming validate ;; validating fail03.dnssec.works/A: verify rdataset (keyid=8628): RRSIG failed to verify ;; validating fail03.dnssec.works/A: failed to verify rdataset ;; validating fail03.dnssec.works/A: verify failure: success ;; validating fail03.dnssec.works/A: no valid signature found ;; RRSIG failed to verify resolving 'fail03.dnssec.works/A/IN': 2620:fe::10#53 ;; resolution failed: RRSIG failed to verify |
Thanks to Carsten Strotmann for his great DNSSEC test hostnames at dnssec.works!
Happy DNSSECing. ;) And merry Christmas. Christ is born <- that’s what Christmas is all about!
End of 2022… delv does now contain the +cd flag