Re: [dane] AD bit handling in stub-resolvers: conclusions and compromises

Mark Andrews <marka@isc.org> Tue, 08 April 2014 23:50 UTC

Return-Path: <marka@isc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D5181A0710 for <dane@ietfa.amsl.com>; Tue, 8 Apr 2014 16:50:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.273
X-Spam-Level:
X-Spam-Status: No, score=-3.273 tagged_above=-999 required=5 tests=[BAYES_50=0.8, J_CHICKENPOX_25=0.6, J_CHICKENPOX_34=0.6, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hVu1OVVn4Ajr for <dane@ietfa.amsl.com>; Tue, 8 Apr 2014 16:50:42 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) by ietfa.amsl.com (Postfix) with ESMTP id CC20A1A02F6 for <dane@ietf.org>; Tue, 8 Apr 2014 16:50:41 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.ams1.isc.org (Postfix) with ESMTP id 4A2B42383DD for <dane@ietf.org>; Tue, 8 Apr 2014 23:50:29 +0000 (UTC) (envelope-from marka@isc.org)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 0DC4C160068 for <dane@ietf.org>; Tue, 8 Apr 2014 23:52:05 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id 034D5160066 for <dane@ietf.org>; Tue, 8 Apr 2014 23:52:04 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 757001343582 for <dane@ietf.org>; Wed, 9 Apr 2014 09:50:25 +1000 (EST)
To: dane@ietf.org
From: Mark Andrews <marka@isc.org>
References: <533EB433.5060204@redhat.com> <0lha63rb6i.fsf@wjh.hardakers.net> <20140408174936.GL12559@mournblade.imrryr.org>
In-reply-to: Your message of "Tue, 08 Apr 2014 17:49:37 +0000." <20140408174936.GL12559@mournblade.imrryr.org>
Date: Wed, 09 Apr 2014 09:50:25 +1000
Message-Id: <20140408235025.757001343582@rock.dv.isc.org>
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/qqF0dC_c89VyMOocyJGWcKdOgC4
Subject: Re: [dane] AD bit handling in stub-resolvers: conclusions and compromises
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Apr 2014 23:50:47 -0000

In message <20140408174936.GL12559@mournblade.imrryr.org>;, Viktor Dukhovni write
s:
> On Tue, Apr 08, 2014 at 10:19:33AM -0700, Wes Hardaker wrote:
> 
> > Petr Spacek <pspacek@redhat.com>; writes:
> > 
> > > It seems that almost everyone agree that local validating resolver is the
> > > best option.
> > 
> > I failed to pipe up before, unfortunately.
> > 
> > But, no I don't agree that's the best solution.  The reality is that in
> > some cases we're making *security decisions* based on the results of a
> > flag that we're not 100% sure of the source.  Without doing something
> > like replacing the system library's notion of even looking at
> > resolv.conf and only looking for 127.0.0.1, then you can't be 100% sure
> > that the bit you get back is actually trustable.  If the default install
> > of the OS does the right thing, who's to say it'll stay that way.
> 
> This is where Wes and I part ways somewhat, but fortunately, this
> issue is not an impediment to the SMTP DANE draft.
> 
> > As an application author who might want absolute assurance that DNSSEC
> > was done (because I'm bootstrapping TLS or SSH or ... off of it), then
> > my ideal situation is to have a local resolver for caching purposes, but
> > to actually do validation in-application.
> 
> For me doing it in application, means costly integration of complex
> code into the application that will add considerable latency because
> the application will have a cold DNSSEC cache (and will now need
> a cache where one was not needed before...  The Plan-9 approach of
> moving security features into system services is I think far
> preferable.

What latency?  This is the output of delve (see BIND 9.10) which
is a is standalone stub validator talking to a local validating resolver
doing a full validation from the root.  This uses exactly the same
code that named uses to validate its answers.  The only difference
is a slightly different cache implementation is used.

	28.321 - 28.298 = 00.023 

from start to finish.

The only change I made was to make the logging print out timestamps.

09-Apr-2014 09:41:28.298 ;; res 0x11076f000: create
09-Apr-2014 09:41:28.300 ;; adb: task-exclusive mode unavailable, intializing table sizes to 49193

09-Apr-2014 09:41:28.306 ;; dns_requestmgr_create
09-Apr-2014 09:41:28.306 ;; dns_requestmgr_create: 0x110774000
09-Apr-2014 09:41:28.306 ;; dns_requestmgr_whenshutdown
09-Apr-2014 09:41:28.307 ;; adding DLV trust anchor dlv.isc.org
09-Apr-2014 09:41:28.307 ;; adding trust anchor .
09-Apr-2014 09:41:28.307 ;; fetch: dv.isc.org/SOA
09-Apr-2014 09:41:28.307 ;; fctx 0x111529000(dv.isc.org/SOA): create
09-Apr-2014 09:41:28.307 ;; log_ns_ttl: fctx 0x111529000: fctx_create: dv.isc.org (in '.'?): 0 0
09-Apr-2014 09:41:28.307 ;; fctx 0x111529000(dv.isc.org/SOA): join
09-Apr-2014 09:41:28.307 ;; fetch 0x11075a0a8 (fctx 0x111529000(dv.isc.org/SOA)): created
09-Apr-2014 09:41:28.307 ;; fctx 0x111529000(dv.isc.org/SOA): start
09-Apr-2014 09:41:28.307 ;; fctx 0x111529000(dv.isc.org/SOA): try
09-Apr-2014 09:41:28.307 ;; fctx 0x111529000(dv.isc.org/SOA): cancelqueries
09-Apr-2014 09:41:28.307 ;; fctx 0x111529000(dv.isc.org/SOA): getaddresses
09-Apr-2014 09:41:28.307 ;; fctx 0x111529000(dv.isc.org/SOA): query
09-Apr-2014 09:41:28.307 ;; resquery 0x11152f000 (fctx 0x111529000(dv.isc.org/SOA)): send
09-Apr-2014 09:41:28.307 ;; resquery 0x11152f000 (fctx 0x111529000(dv.isc.org/SOA)): sent
09-Apr-2014 09:41:28.307 ;; resquery 0x11152f000 (fctx 0x111529000(dv.isc.org/SOA)): senddone
09-Apr-2014 09:41:28.308 ;; resquery 0x11152f000 (fctx 0x111529000(dv.isc.org/SOA)): response
09-Apr-2014 09:41:28.308 ;; received packet:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:   4409
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; SIT: 2d8cf3496b58375c57ed3b5b53448928f199cb69a8065b4d
;; QUESTION SECTION:
;dv.isc.org.			IN	SOA

;; ANSWER SECTION:
;Dv.isc.org.		3532	IN	SOA	bsdi.dv.isc.org. marka.isc.org. (
;						2007111528 ; serial
;						86400      ; refresh (1 day)
;						21600      ; retry (6 hours)
;						2419200    ; expire (4 weeks)
;						86400      ; minimum (1 day)
;						)
;Dv.isc.org.		3532	IN	RRSIG	SOA 5 3 3600 (
;						20140606234902 20140407224902 14436 dv.isc.org.
;						i8fBym000/fiC3XrQ1B0spgppClO
;						yQfdQiPq3p2228bSYR86NzxOqpUL
;						2YBya9120KctdiLBOpeUEIf285Tz
;						xA== )

;; AUTHORITY SECTION:
;Dv.isc.org.		5842	IN	NS	bsdi1.dv.isc.org.
;Dv.isc.org.		5842	IN	NS	drugs.dv.isc.org.
;Dv.isc.org.		5842	IN	RRSIG	NS 5 3 86400 (
;						20140520164117 20140321164013 14436 dv.isc.org.
;						uRGZe6K+C3wzVaOscR/+Cf1xwimw
;						TuPim/lW/q/lzPzLx1B39IQXEc1Y
;						Jl6zkARqafYXstPBDrLvHmV1x0FE
;						jQ== )


09-Apr-2014 09:41:28.308 ;; fctx 0x111529000(dv.isc.org/SOA): answer_response
09-Apr-2014 09:41:28.308 ;; log_ns_ttl: fctx 0x111529000: answer_response: dv.isc.org (in '.'?): 0 0
09-Apr-2014 09:41:28.308 ;; fctx 0x111529000(dv.isc.org/SOA): cache_message
09-Apr-2014 09:41:28.308 ;; decrement_reference: delete from rbt: 0x11077e078 Dv.isc.org
09-Apr-2014 09:41:28.308 ;; fctx 0x111529000(dv.isc.org/SOA): cancelquery
09-Apr-2014 09:41:28.308 ;; fctx 0x111529000(dv.isc.org/SOA): wait for validator
09-Apr-2014 09:41:28.308 ;; fctx 0x111529000(dv.isc.org/SOA): cancelqueries
09-Apr-2014 09:41:28.308 ;; validating Dv.isc.org/SOA: starting
09-Apr-2014 09:41:28.308 ;; validating Dv.isc.org/SOA: attempting positive response validation
09-Apr-2014 09:41:28.308 ;; validating Dv.isc.org/SOA: get_key: creating fetch for dv.isc.org DNSKEY
09-Apr-2014 09:41:28.308 ;; fetch: dv.isc.org/DNSKEY
09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): create
09-Apr-2014 09:41:28.308 ;; log_ns_ttl: fctx 0x111529430: fctx_create: dv.isc.org (in '.'?): 0 0
09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): join
09-Apr-2014 09:41:28.308 ;; fetch 0x11075a120 (fctx 0x111529430(dv.isc.org/DNSKEY)): created
09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): start
09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): try
09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): cancelqueries
09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): getaddresses
09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): query
09-Apr-2014 09:41:28.308 ;; resquery 0x11152f000 (fctx 0x111529430(dv.isc.org/DNSKEY)): send
09-Apr-2014 09:41:28.308 ;; resquery 0x11152f000 (fctx 0x111529430(dv.isc.org/DNSKEY)): sent
09-Apr-2014 09:41:28.308 ;; resquery 0x11152f000 (fctx 0x111529430(dv.isc.org/DNSKEY)): senddone
09-Apr-2014 09:41:28.308 ;; resquery 0x11152f000 (fctx 0x111529430(dv.isc.org/DNSKEY)): response
09-Apr-2014 09:41:28.308 ;; received packet:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  17780
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; SIT: 2d8cf3496b58375c71d56ac853448928ef24558c8085c830
;; QUESTION SECTION:
;dv.isc.org.			IN	DNSKEY

;; ANSWER SECTION:
;Dv.isc.org.		5842	IN	DNSKEY	257 3 5 (
;						AwEAAbatyuBZQjJB6WnkeFMGIDNU
;						UMHDSFOsvcjVarCYaN5c5lg56SAL
;						PpvkbauGnt2S6coHqKG6o36hwoNm
;						J4Qjc94FU9Bzsg60pyviSrnFJT3l
;						13W+jTEoXU3pRk9f4182ffL/aKdI
;						wW0dDuMphPyjqaomSeBfjnojhD+Q
;						Li144lOl
;						) ; KSK; alg = RSASHA1; key id = 10288
;Dv.isc.org.		5842	IN	DNSKEY	256 3 5 (
;						AwEAAePX2qjqzu9uE79fDAwb99GH
;						1xnF6b+dsRqHOnmKldHWTb3KX2Yp
;						WzuDKQZpISkakn0mf32FHp5iuu8H
;						5VOkcf0=
;						) ; ZSK; alg = RSASHA1; key id = 14436
;Dv.isc.org.		5842	IN	RRSIG	DNSKEY 5 3 86400 (
;						20140520204428 20140321202107 10288 dv.isc.org.
;						imsRQCYCmv6yf6viAO+lfp1bEKfK
;						VKD1BmZEfrmE1cTaW9k8mEjgNmhM
;						nt7XdZ1XQslygbl1VRl1hBntp/kA
;						Rqwq3s+Hd84hIZjt2ThXji3uBWoE
;						jmzuhqq3mJufle8CXUR68Jrp04Pd
;						jSIeXVsYm8JIlVlnTWzXj505IGG7
;						Uh0= )
;Dv.isc.org.		5842	IN	RRSIG	DNSKEY 5 3 86400 (
;						20140520204428 20140321202107 14436 dv.isc.org.
;						axyw6FZGW+HlGLTQP8yhG+DHdefK
;						42nZCWX4Gv3sQtovUOkS0NaucJF1
;						65nZR4s5qWj+/yGVgjKw/zco7RLu
;						pg== )


09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): answer_response
09-Apr-2014 09:41:28.308 ;; log_ns_ttl: fctx 0x111529430: answer_response: dv.isc.org (in '.'?): 0 0
09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): cache_message
09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): cancelquery
09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): wait for validator
09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): cancelqueries
09-Apr-2014 09:41:28.308 ;; validating Dv.isc.org/DNSKEY: starting
09-Apr-2014 09:41:28.308 ;; validating Dv.isc.org/DNSKEY: attempting positive response validation
09-Apr-2014 09:41:28.308 ;; validating Dv.isc.org/DNSKEY: validatezonekey: creating fetch for Dv.isc.org DS
09-Apr-2014 09:41:28.308 ;; fetch: Dv.isc.org/DS
09-Apr-2014 09:41:28.308 ;; fctx 0x111529860(Dv.isc.org/DS): create
09-Apr-2014 09:41:28.308 ;; log_ns_ttl: fctx 0x111529860: fctx_create: Dv.isc.org (in '.'?): 0 0
09-Apr-2014 09:41:28.308 ;; fctx 0x111529860(Dv.isc.org/DS): join
09-Apr-2014 09:41:28.308 ;; fetch 0x11075a138 (fctx 0x111529860(Dv.isc.org/DS)): created
09-Apr-2014 09:41:28.308 ;; fctx 0x111529860(Dv.isc.org/DS): start
09-Apr-2014 09:41:28.308 ;; fctx 0x111529860(Dv.isc.org/DS): try
09-Apr-2014 09:41:28.308 ;; fctx 0x111529860(Dv.isc.org/DS): cancelqueries
09-Apr-2014 09:41:28.309 ;; fctx 0x111529860(Dv.isc.org/DS): getaddresses
09-Apr-2014 09:41:28.309 ;; fctx 0x111529860(Dv.isc.org/DS): query
09-Apr-2014 09:41:28.309 ;; resquery 0x11152f000 (fctx 0x111529860(Dv.isc.org/DS)): send
09-Apr-2014 09:41:28.309 ;; resquery 0x11152f000 (fctx 0x111529860(Dv.isc.org/DS)): sent
09-Apr-2014 09:41:28.309 ;; resquery 0x11152f000 (fctx 0x111529860(Dv.isc.org/DS)): senddone
09-Apr-2014 09:41:28.309 ;; resquery 0x11152f000 (fctx 0x111529860(Dv.isc.org/DS)): response
09-Apr-2014 09:41:28.309 ;; received packet:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  16583
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; SIT: 2d8cf3496b58375c42f44fcf53448928f6f346b94566391e
;; QUESTION SECTION:
;Dv.isc.org.			IN	DS

;; ANSWER SECTION:
;Dv.isc.org.		6130	IN	DS	10288 5 2 (
;						6D9CD532BC5E7EE6404EB019048F
;						C9727A970854EF0375364F8F6ED5
;						4A8DA73B )
;Dv.isc.org.		6130	IN	DS	10288 5 1 (
;						22F103696F795206A7373850444C
;						6F4DA61D0076 )
;Dv.isc.org.		6130	IN	RRSIG	DS 5 3 7200 (
;						20140507233241 20140407233241 4521 isc.org.
;						pmz1rcVQRr3lbnBDp36ew3oz44gT
;						GJgI4RvyyAapOyGP8Fa1flG5BKYQ
;						Fo5G68OhMLVupXhys2mo9BQoEx/z
;						ydbVkHuciBK3qKEvHUiq69e/iGuv
;						dRjWopgv0uY8o0rSPabVpoa07I1P
;						Hj8+682Ku9TGLmyNelpNuhz7bgq7
;						GBE= )


09-Apr-2014 09:41:28.309 ;; fctx 0x111529860(Dv.isc.org/DS): answer_response
09-Apr-2014 09:41:28.309 ;; log_ns_ttl: fctx 0x111529860: answer_response: Dv.isc.org (in '.'?): 0 0
09-Apr-2014 09:41:28.309 ;; fctx 0x111529860(Dv.isc.org/DS): cache_message
09-Apr-2014 09:41:28.309 ;; fctx 0x111529860(Dv.isc.org/DS): cancelquery
09-Apr-2014 09:41:28.309 ;; fctx 0x111529860(Dv.isc.org/DS): wait for validator
09-Apr-2014 09:41:28.309 ;; fctx 0x111529860(Dv.isc.org/DS): cancelqueries
09-Apr-2014 09:41:28.309 ;; validating Dv.isc.org/DS: starting
09-Apr-2014 09:41:28.309 ;; validating Dv.isc.org/DS: attempting positive response validation
09-Apr-2014 09:41:28.309 ;; validating Dv.isc.org/DS: get_key: creating fetch for isc.org DNSKEY
09-Apr-2014 09:41:28.309 ;; fetch: isc.org/DNSKEY
09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): create
09-Apr-2014 09:41:28.309 ;; log_ns_ttl: fctx 0x111569000: fctx_create: isc.org (in '.'?): 0 0
09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): join
09-Apr-2014 09:41:28.309 ;; fetch 0x11075a150 (fctx 0x111569000(isc.org/DNSKEY)): created
09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): start
09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): try
09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): cancelqueries
09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): getaddresses
09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): query
09-Apr-2014 09:41:28.309 ;; resquery 0x11156f000 (fctx 0x111569000(isc.org/DNSKEY)): send
09-Apr-2014 09:41:28.309 ;; resquery 0x11156f000 (fctx 0x111569000(isc.org/DNSKEY)): sent
09-Apr-2014 09:41:28.309 ;; resquery 0x11156f000 (fctx 0x111569000(isc.org/DNSKEY)): senddone
09-Apr-2014 09:41:28.309 ;; resquery 0x11156f000 (fctx 0x111569000(isc.org/DNSKEY)): response
09-Apr-2014 09:41:28.309 ;; received packet:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  15856
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; SIT: 2d8cf3496b58375ca839dce553448928545eebc5e1402641
;; QUESTION SECTION:
;isc.org.			IN	DNSKEY

;; ANSWER SECTION:
;isc.org.		5395	IN	DNSKEY	256 3 5 (
;						AwEAAbJpDF4RemdHHE/HrJJhR3zp
;						zAQ6zsHqFv0i4lCWTUf4sX+cq3vS
;						u7fKO4QJtm97S1sbcnmHonVE3QPz
;						LOsqsY630Wy5JzrPK3gUvQLgfIso
;						vo2v+dosITL8WbvjU1mEXhIwfuuB
;						hYmYSKySZ0X9gpHGhdxRd+J8M7ri
;						PfN7kHLP
;						) ; ZSK; alg = RSASHA1; key id = 4521
;isc.org.		5395	IN	DNSKEY	257 3 5 (
;						BEAAAAOhHQDBrhQbtphgq2wQUpEQ
;						5t4DtUHxoMVFu2hWLDMvoOMRXjGr
;						hhCeFvAZih7yJHf8ZGfW6hd38hXG
;						/xylYCO6Krpbdojwx8YMXLA5/kA+
;						u50WIL8ZR1R6KTbsYVMf/Qx5RiNb
;						PClw+vT+U8eXEJmO20jIS1ULgqy3
;						47cBB1zMnnz/4LJpA0da9CbKj3A2
;						54T515sNIMcwsB8/2+2E63/zZrQz
;						Bkj0BrN/9Bexjpiks3jRhZatEsXn
;						3dTy47R09Uix5WcJt+xzqZ7+ysyL
;						KOOedS39Z7SDmsn2eA0FKtQpwA6L
;						XeG2w+jxmw3oA8lVUgEf/rzeC/bB
;						yBNsO70aEFTd
;						) ; KSK; alg = RSASHA1; key id = 12892
;isc.org.		5395	IN	RRSIG	DNSKEY 5 2 7200 (
;						20140507230126 20140407230126 4521 isc.org.
;						dcmQwSpa00DJ8pd2PBKJxRyZ+ax4
;						r/VBliEh2x5v/CUurfQfGIbnn+ZW
;						Pz4EnRkDkiComnwEQo4jfMRjv3S3
;						ltz9L0Xi5XVlr+bhyc7OeDdGhdG6
;						SsEgyLvQ92Jg1wFeVLIkIieTnqps
;						O3EvjR6eY83Rc266ubk8MvnFcpJg
;						0m0= )
;isc.org.		5395	IN	RRSIG	DNSKEY 5 2 7200 (
;						20140507230126 20140407230126 12892 isc.org.
;						j4k8SwlG6sibrmqhe810xEWxqf4p
;						AuBRkDTOcZM4j5CFdffOjwt01Uhp
;						tiQ7mMfOPQcygD3WzQz5oC8J+BYe
;						mCH4cSwj/pprX/7VLuxeIp/NnD7A
;						vBfc884aoLDFMWFzLq7f98eHhfnK
;						ui1LY568G67n9rKF1TFk3TIcEoQS
;						oRt5U02ATgkF59fpVQZYg5B1dBIp
;						CAm2puOWuAHy4nXINYBjItqfNEtg
;						1cbJBa7IRQWaaZY9+CVHKShs3GYg
;						6/1WMwgWwadl4/6ySy0/m71H3aCx
;						fBETFZ5pY4VpjvMOghbioGrpse9E
;						+C3wRAU9NGkJMSESwIez/YpE72NO
;						u470Og== )


09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): answer_response
09-Apr-2014 09:41:28.309 ;; log_ns_ttl: fctx 0x111569000: answer_response: isc.org (in '.'?): 0 0
09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): cache_message
09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): cancelquery
09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): wait for validator
09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): cancelqueries
09-Apr-2014 09:41:28.309 ;; validating isc.org/DNSKEY: starting
09-Apr-2014 09:41:28.309 ;; validating isc.org/DNSKEY: attempting positive response validation
09-Apr-2014 09:41:28.310 ;; validating isc.org/DNSKEY: validatezonekey: creating fetch for isc.org DS
09-Apr-2014 09:41:28.310 ;; fetch: isc.org/DS
09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): create
09-Apr-2014 09:41:28.310 ;; log_ns_ttl: fctx 0x111569430: fctx_create: isc.org (in '.'?): 0 0
09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): join
09-Apr-2014 09:41:28.310 ;; fetch 0x11075a168 (fctx 0x111569430(isc.org/DS)): created
09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): start
09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): try
09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): cancelqueries
09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): getaddresses
09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): query
09-Apr-2014 09:41:28.310 ;; resquery 0x11156f000 (fctx 0x111569430(isc.org/DS)): send
09-Apr-2014 09:41:28.310 ;; resquery 0x11156f000 (fctx 0x111569430(isc.org/DS)): sent
09-Apr-2014 09:41:28.310 ;; resquery 0x11156f000 (fctx 0x111569430(isc.org/DS)): senddone
09-Apr-2014 09:41:28.310 ;; resquery 0x11156f000 (fctx 0x111569430(isc.org/DS)): response
09-Apr-2014 09:41:28.310 ;; received packet:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  31640
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; SIT: 2d8cf3496b58375cda8ad76953448928e7787e67a66486d6
;; QUESTION SECTION:
;isc.org.			IN	DS

;; ANSWER SECTION:
;isc.org.		5504	IN	DS	12892 5 2 (
;						F1E184C0E1D615D20EB3C223ACED
;						3B03C773DD952D5F0EB5C777586D
;						E18DA6B5 )
;isc.org.		5504	IN	DS	12892 5 1 (
;						982113D08B4C6A1D9F6AEE1E2237
;						AEF69F3F9759 )
;isc.org.		5504	IN	RRSIG	DS 7 2 86400 (
;						20140422155313 20140401145313 28794 org.
;						FoLFvxVMRXkdLg5wumU9Lf9uIFT9
;						lknz1zQPRAjNZlc/3Nq2hZMIELGT
;						K26uQwFbAj/04XNJCnm34FVdYSWF
;						P/y8V+4MimPpKLC3rt7sNKJlIhbH
;						LLuIVr1l70WaaJ2NyKk6AgnRYY3D
;						LSahHXXk/3sG+WWqI8UHBWTdi0up
;						oqk= )


09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): answer_response
09-Apr-2014 09:41:28.310 ;; log_ns_ttl: fctx 0x111569430: answer_response: isc.org (in '.'?): 0 0
09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): cache_message
09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): cancelquery
09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): wait for validator
09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): cancelqueries
09-Apr-2014 09:41:28.310 ;; validating isc.org/DS: starting
09-Apr-2014 09:41:28.310 ;; validating isc.org/DS: attempting positive response validation
09-Apr-2014 09:41:28.310 ;; validating isc.org/DS: get_key: creating fetch for org DNSKEY
09-Apr-2014 09:41:28.310 ;; fetch: org/DNSKEY
09-Apr-2014 09:41:28.310 ;; fctx 0x1115a9000(org/DNSKEY): create
09-Apr-2014 09:41:28.310 ;; log_ns_ttl: fctx 0x1115a9000: fctx_create: org (in '.'?): 0 0
09-Apr-2014 09:41:28.310 ;; fctx 0x1115a9000(org/DNSKEY): join
09-Apr-2014 09:41:28.310 ;; fetch 0x11075a180 (fctx 0x1115a9000(org/DNSKEY)): created
09-Apr-2014 09:41:28.310 ;; fctx 0x1115a9000(org/DNSKEY): start
09-Apr-2014 09:41:28.310 ;; fctx 0x1115a9000(org/DNSKEY): try
09-Apr-2014 09:41:28.310 ;; fctx 0x1115a9000(org/DNSKEY): cancelqueries
09-Apr-2014 09:41:28.310 ;; fctx 0x1115a9000(org/DNSKEY): getaddresses
09-Apr-2014 09:41:28.310 ;; fctx 0x1115a9000(org/DNSKEY): query
09-Apr-2014 09:41:28.310 ;; resquery 0x1115af000 (fctx 0x1115a9000(org/DNSKEY)): send
09-Apr-2014 09:41:28.310 ;; resquery 0x1115af000 (fctx 0x1115a9000(org/DNSKEY)): sent
09-Apr-2014 09:41:28.310 ;; resquery 0x1115af000 (fctx 0x1115a9000(org/DNSKEY)): senddone
09-Apr-2014 09:41:28.310 ;; resquery 0x1115af000 (fctx 0x1115a9000(org/DNSKEY)): response
09-Apr-2014 09:41:28.310 ;; received packet:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  57451
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; SIT: 2d8cf3496b58375c277da90653448928b346e9460f9b5cbb
;; QUESTION SECTION:
;org.				IN	DNSKEY

;; ANSWER SECTION:
;org.			832	IN	DNSKEY	256 3 7 (
;						AwEAAYhrCBtYGnFviZ921MUyk5MD
;						1Ywzz9fLytgGY6enAgn9fFKjlhNp
;						KFDCLxrzrFkPV8OCA2DtefVzIqaw
;						TuHV1zjYgYZgx0nUn4zXVnxFSl4X
;						1CyXPT/AMPOrAw+cN38oxVQs2FDL
;						aLwwmcxXmk3mBwTgu3fGHpmjdA5D
;						/3TPeAjX
;						) ; ZSK; alg = NSEC3RSASHA1; key id = 28794
;org.			832	IN	DNSKEY	256 3 7 (
;						AwEAAa+yHvpOo3f7XS1vtKPGH6AD
;						1OkmYUtnRlkkCO9BKJ0OCCvYSWh5
;						NWLJjIMXRzVpituqoLtiYfhdDYQH
;						5JzRVW6lCtT+2SiWmEx+7GnSyMT4
;						8858uC02AYlJVfbitCpoGGdzyLTi
;						MxtMlztpRyCAvaDujnx+2GBo7zgb
;						50f5gQJp
;						) ; ZSK; alg = NSEC3RSASHA1; key id = 1829
;org.			832	IN	DNSKEY	257 3 7 (
;						AwEAAZTjbIO5kIpxWUtyXc8avsKy
;						HIIZ+LjC2Dv8naO+Tz6X2fqzDC1b
;						dq7HlZwtkaqTkMVVJ+8gE9FIreGJ
;						4c8G1GdbjQgbP1OyYIG7OHTc4hv5
;						T2NlyWr6k6QFz98Q4zwFIGTFVvwB
;						hmrMDYsOTtXakK6QwHovA1+83BsU
;						ACxlidpwB0hQacbD6x+I2RCDzYuT
;						zj64Jv0/9XsX6AYV3ebcgn4hL1jI
;						R2eJYyXlrAoWxdzxcW//5yeL5RVW
;						uhRxejmnSVnCuxkfS4AQ485KH2tp
;						dbWcCopLJZs6tw8q3jWcpTGzdh/v
;						3xdYfNpQNcPImFlxAun3BtORPA2r
;						8ti6MNoJEHU=
;						) ; KSK; alg = NSEC3RSASHA1; key id = 9795
;org.			832	IN	DNSKEY	257 3 7 (
;						AwEAAYpYfj3aaRzzkxWQqMdl7YEx
;						Y81NdYSv+qayuZDodnZ9IMh0bwMc
;						YaVUdzNAbVeJ8gd6jq1sR3VvP/SR
;						36mmGssbV4Udl5ORDtqiZP2TDNDH
;						xEnKKTX+jWfytZeT7d3AbSzBKC0v
;						7uZrM6M2eoJnl6id66rEUmQC2p9D
;						rrDg9F6tXC9CD/zC7/y+BNNpiOdn
;						M5DXk7HhZm7ra9E7ltL13h2mx7kE
;						gU8e6npJlCoXjraIBgUDthYs48W/
;						sdTDLu7N59rjCG+bpil+c8oZ9f7N
;						R3qmSTpTP1m86RqUQnVErifrH8Kj
;						DqL+3wzUdF5ACkYwt1XhPVPU+wSI
;						lzbaAQN49PU=
;						) ; KSK; alg = NSEC3RSASHA1; key id = 21366
;org.			832	IN	RRSIG	DNSKEY 7 1 900 (
;						20140422155313 20140401145313 9795 org.
;						U5EosaoqM0jPBPVdL08D5wilaHoH
;						gcOHM3RNP0hwzv5lQg8JBtq6wZGA
;						YUHstIDTD6LGxR3vLmZGeEHobtxk
;						aNIp/TW1W/zB9SOySTK1DrnMKjYd
;						yi64LbP/XvSv/Fpa29DVkIbU1REs
;						dPSwWyurw1nKiAGUld1AYeGwU1Zi
;						wwqHk6SB+ohZPmv7J9BgIjvSwswr
;						PudynzIbyb1Y7bmI82nEo/FmX3qa
;						YwLXkjsH50BYwAYH1C8CoAeg/fpg
;						P+3b8JRx1M55EzAJNQqVL4nHtqdW
;						4FSV8h3t5pFzLwVpo3lLiKXQj8Di
;						QVTT2JkHqOTnnhlvHG5BDZVykLn2
;						YNxXNQ== )
;org.			832	IN	RRSIG	DNSKEY 7 1 900 (
;						20140422155313 20140401145313 21366 org.
;						JXhlQLDrtfK2ZdXQzdoygZnXNFfa
;						7/lPubNgrUmL46dYo1K07UL0yDkn
;						fhKYrBd7WhES9koX8gR8m3sb4RJj
;						MvtDi0VOOaxI8kCO6ltNQ5h8NKgw
;						WEur+w25EwRjWRychohiIchXLXyK
;						X7mTqUolhVCIfSJGShKLLW8ffYTV
;						eNHP/3FdSu37RNqLsOn+pfaLbhK+
;						MNnwbb/UQbxCPFAkuZCy5JDaUsW0
;						JuqrhMei0EdzGb6qYPk9ZDtCWqZG
;						T+yIdypqWOhM4Eqm8KnHsLbzQlnf
;						ON7gi1ZOIIXoaX+Apo2I8venXqFw
;						xuLTmhvJAkPCqA06oYvkHWf0/yxO
;						x+JkVQ== )
;org.			832	IN	RRSIG	DNSKEY 7 1 900 (
;						20140422155313 20140401145313 28794 org.
;						aHnCxEKmD9y/ZTBnrSu6ZDIhF+hB
;						usJ3XKtBf8ubDrVZcvz8KUT812cL
;						Se16T9pqVOMSoBp5ywGWrieaEsip
;						XXcNjuzuL+5xbxLmnhnv2aiuapNk
;						0siZxvMPs+LV1Gw7Je2wj0o1qRgt
;						TwoFVREPLDkbkEMdXqxrdWmTwVna
;						OK8= )


09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9000(org/DNSKEY): answer_response
09-Apr-2014 09:41:28.311 ;; log_ns_ttl: fctx 0x1115a9000: answer_response: org (in '.'?): 0 0
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9000(org/DNSKEY): cache_message
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9000(org/DNSKEY): cancelquery
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9000(org/DNSKEY): wait for validator
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9000(org/DNSKEY): cancelqueries
09-Apr-2014 09:41:28.311 ;; validating org/DNSKEY: starting
09-Apr-2014 09:41:28.311 ;; validating org/DNSKEY: attempting positive response validation
09-Apr-2014 09:41:28.311 ;; validating org/DNSKEY: validatezonekey: creating fetch for org DS
09-Apr-2014 09:41:28.311 ;; fetch: org/DS
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): create
09-Apr-2014 09:41:28.311 ;; log_ns_ttl: fctx 0x1115a9430: fctx_create: org (in '.'?): 0 0
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): join
09-Apr-2014 09:41:28.311 ;; fetch 0x11075a198 (fctx 0x1115a9430(org/DS)): created
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): start
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): try
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): cancelqueries
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): getaddresses
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): query
09-Apr-2014 09:41:28.311 ;; resquery 0x1115af000 (fctx 0x1115a9430(org/DS)): send
09-Apr-2014 09:41:28.311 ;; resquery 0x1115af000 (fctx 0x1115a9430(org/DS)): sent
09-Apr-2014 09:41:28.311 ;; resquery 0x1115af000 (fctx 0x1115a9430(org/DS)): senddone
09-Apr-2014 09:41:28.311 ;; resquery 0x1115af000 (fctx 0x1115a9430(org/DS)): response
09-Apr-2014 09:41:28.311 ;; received packet:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  33728
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; SIT: 2d8cf3496b58375c3ca580375344892853012c63813507b5
;; QUESTION SECTION:
;org.				IN	DS

;; ANSWER SECTION:
;org.			5504	IN	DS	21366 7 1 (
;						E6C1716CFB6BDC84E84CE1AB5510
;						DAC69173B5B2 )
;org.			5504	IN	DS	21366 7 2 (
;						96EEB2FFD9B00CD4694E78278B5E
;						FDAB0A80446567B69F634DA078F0
;						D90F01BA )
;org.			5504	IN	RRSIG	DS 8 1 86400 (
;						20140414000000 20140406230000 40926 .
;						hfVkPJGvRpXmvforixrVo77PO1/W
;						Ipaa4cnp/XPrwk9csyo64zAWaCZL
;						+kt5jBCSDlAfpX6cDASN4ueGXajm
;						q8nVyrCT5QvuyHgWJQG0CjtcFgtC
;						DxnWQHAaHdq9IwsuRYCAutjJo9yQ
;						G8PdlUlTZWE8Rzn9UmRlw6KE212y
;						CgI= )


09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): answer_response
09-Apr-2014 09:41:28.311 ;; log_ns_ttl: fctx 0x1115a9430: answer_response: org (in '.'?): 0 0
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): cache_message
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): cancelquery
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): wait for validator
09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): cancelqueries
09-Apr-2014 09:41:28.311 ;; validating org/DS: starting
09-Apr-2014 09:41:28.311 ;; validating org/DS: attempting positive response validation
09-Apr-2014 09:41:28.311 ;; validating org/DS: get_key: creating fetch for . DNSKEY
09-Apr-2014 09:41:28.311 ;; fetch: ./DNSKEY
09-Apr-2014 09:41:28.311 ;; fctx 0x1115e9000(./DNSKEY): create
09-Apr-2014 09:41:28.311 ;; log_ns_ttl: fctx 0x1115e9000: fctx_create: . (in '.'?): 0 0
09-Apr-2014 09:41:28.311 ;; fctx 0x1115e9000(./DNSKEY): join
09-Apr-2014 09:41:28.311 ;; fetch 0x11075a1b0 (fctx 0x1115e9000(./DNSKEY)): created
09-Apr-2014 09:41:28.311 ;; fctx 0x1115e9000(./DNSKEY): start
09-Apr-2014 09:41:28.311 ;; fctx 0x1115e9000(./DNSKEY): try
09-Apr-2014 09:41:28.311 ;; fctx 0x1115e9000(./DNSKEY): cancelqueries
09-Apr-2014 09:41:28.311 ;; fctx 0x1115e9000(./DNSKEY): getaddresses
09-Apr-2014 09:41:28.311 ;; fctx 0x1115e9000(./DNSKEY): query
09-Apr-2014 09:41:28.311 ;; resquery 0x1115ef000 (fctx 0x1115e9000(./DNSKEY)): send
09-Apr-2014 09:41:28.311 ;; resquery 0x1115ef000 (fctx 0x1115e9000(./DNSKEY)): sent
09-Apr-2014 09:41:28.311 ;; resquery 0x1115ef000 (fctx 0x1115e9000(./DNSKEY)): senddone
09-Apr-2014 09:41:28.312 ;; resquery 0x1115ef000 (fctx 0x1115e9000(./DNSKEY)): response
09-Apr-2014 09:41:28.312 ;; received packet:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  62200
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; SIT: 2d8cf3496b58375cd01f4d7f5344892884b20fcd0bb5cd1e
;; QUESTION SECTION:
;.				IN	DNSKEY

;; ANSWER SECTION:
;.			91894	IN	DNSKEY	256 3 8 (
;						AwEAAb8sU6pbYMWRbkRnEuEZw9NS
;						ir707TkOcF+UL1XiK4NDJOvXRyX1
;						95Am5dQ7bRnnuySZ3daf37vvjUUh
;						uIWUAQ4stht8nJfYxVQXDYjSpGH5
;						I6Hf/0CZEoNP6cNvrQ7AFmKkmv00
;						xWExKQjbvnRPI4bqpMwtHVzn6Wyb
;						BZ6kuqED
;						) ; ZSK; alg = RSASHA256; key id = 33655
;.			91894	IN	DNSKEY	257 3 8 (
;						AwEAAagAIKlVZrpC6Ia7gEzahOR+
;						9W29euxhJhVVLOyQbSEW0O8gcCjF
;						FVQUTf6v58fLjwBd0YI0EzrAcQqB
;						GCzh/RStIoO8g0NfnfL2MTJRkxoX
;						bfDaUeVPQuYEhg37NZWAJQ9VnMVD
;						xP/VHL496M/QZxkjf5/Efucp2gaD
;						X6RS6CXpoY68LsvPVjR0ZSwzz1ap
;						AzvN9dlzEheX7ICJBBtuA6G3LQpz
;						W5hOA2hzCTMjJPJ8LbqF6dsV6DoB
;						Qzgul0sGIcGOYl7OyQdXfZ57relS
;						Qageu+ipAdTTJ25AsRTAoub8ONGc
;						LmqrAmRLKBP1dfwhYB4N7knNnulq
;						QxA+Uk1ihz0=
;						) ; KSK; alg = RSASHA256; key id = 19036
;.			91894	IN	DNSKEY	256 3 8 (
;						AwEAAZvJd8ORk+jmZ41QMYbQ1XCp
;						f60l6YJuHtnxn0VSh5a5vqwEjTST
;						3/PZ4xhUFu2YcTfRNWxs9WTiGZl3
;						MY/UlBIvzpLhKgKnf9Vk8sEU3q0n
;						mOGFgE6jTi/cU95ATU/2dTQovMDv
;						9XyWvrmj8KIG2brj6mF4S8GTae6G
;						2GwbMF5v
;						) ; ZSK; alg = RSASHA256; key id = 40926
;.			91894	IN	RRSIG	DNSKEY 8 0 172800 (
;						20140415235959 20140401000000 19036 .
;						PttXGhd/RiRQDhz9002k/gYVU2c2
;						+YjuW+xv2jczlIuLacXET3ZExT3X
;						kZCTtXiveS+vJtYQPVPCUXZcYb+4
;						VjovysRQ1BedFYrRC/n9scSgm1UO
;						zxDXRKk7tvBgHiyTwONNvogw/SBJ
;						YJ/z9n5cpCY2taEvy5aL2h+vrnwH
;						7WvVT8NR4VJ/ZKJ4GdSxyrEiESm2
;						+d1dUuKOd/XeZbF15XMdDPBH8Ghx
;						eZY5ISbZfDSV3vISQIA1B/VF9Dq/
;						6dxoyMbdPhcpvly3QfzN6brVla2o
;						3FLAcDMyFmSvEcSOgtMntSm0usIs
;						Z7eQiQOfejohFSbFFNcivXXwIlXF
;						qgJXLA== )


09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): answer_response
09-Apr-2014 09:41:28.312 ;; log_ns_ttl: fctx 0x1115e9000: answer_response: . (in '.'?): 0 0
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): cache_message
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): cancelquery
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): wait for validator
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): cancelqueries
09-Apr-2014 09:41:28.312 ;; validating ./DNSKEY: starting
09-Apr-2014 09:41:28.312 ;; validating ./DNSKEY: attempting positive response validation
09-Apr-2014 09:41:28.312 ;; validating ./DNSKEY: verify rdataset (keyid=19036): success
09-Apr-2014 09:41:28.312 ;; validating ./DNSKEY: signed by trusted key; marking as secure
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): received validation completion event
09-Apr-2014 09:41:28.312 ;; validator @0x7f818409a000: dns_validator_destroy
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): validation OK
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): clone_results
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): done
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): stopeverything
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): cancelqueries
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): sendevents
09-Apr-2014 09:41:28.312 ;; validating org/DS: in fetch_callback_validator
09-Apr-2014 09:41:28.312 ;; validating org/DS: keyset with trust secure
09-Apr-2014 09:41:28.312 ;; validating org/DS: resuming validate
09-Apr-2014 09:41:28.312 ;; validating org/DS: verify rdataset (keyid=40926): success
09-Apr-2014 09:41:28.312 ;; validating org/DS: marking as secure, noqname proof not needed
09-Apr-2014 09:41:28.312 ;; fetch 0x11075a1b0 (fctx 0x1115e9000(./DNSKEY)): destroyfetch
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): shutdown
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): received validation completion event
09-Apr-2014 09:41:28.312 ;; validator @0x7f8186000000: dns_validator_destroy
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): validation OK
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): clone_results
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): done
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): stopeverything
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): cancelqueries
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): sendevents
09-Apr-2014 09:41:28.312 ;; validating org/DNSKEY: in dsfetched
09-Apr-2014 09:41:28.312 ;; validating org/DNSKEY: dsset with trust secure
09-Apr-2014 09:41:28.312 ;; validating org/DNSKEY: verify rdataset (keyid=21366): success
09-Apr-2014 09:41:28.312 ;; validating org/DNSKEY: marking as secure (DS)
09-Apr-2014 09:41:28.312 ;; fetch 0x11075a198 (fctx 0x1115a9430(org/DS)): destroyfetch
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): shutdown
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9000(org/DNSKEY): received validation completion event
09-Apr-2014 09:41:28.312 ;; validator @0x7f8185800000: dns_validator_destroy
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9000(org/DNSKEY): validation OK
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9000(org/DNSKEY): clone_results
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9000(org/DNSKEY): done
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9000(org/DNSKEY): stopeverything
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9000(org/DNSKEY): cancelqueries
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9000(org/DNSKEY): sendevents
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): doshutdown
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): stopeverything
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): cancelqueries
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): unlink
09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): destroy
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): doshutdown
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): stopeverything
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): cancelqueries
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): unlink
09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): destroy
09-Apr-2014 09:41:28.312 ;; validating isc.org/DS: in fetch_callback_validator
09-Apr-2014 09:41:28.312 ;; validating isc.org/DS: keyset with trust secure
09-Apr-2014 09:41:28.312 ;; validating isc.org/DS: resuming validate
09-Apr-2014 09:41:28.313 ;; validating isc.org/DS: verify rdataset (keyid=28794): success
09-Apr-2014 09:41:28.313 ;; validating isc.org/DS: marking as secure, noqname proof not needed
09-Apr-2014 09:41:28.313 ;; fetch 0x11075a180 (fctx 0x1115a9000(org/DNSKEY)): destroyfetch
09-Apr-2014 09:41:28.313 ;; fctx 0x1115a9000(org/DNSKEY): shutdown
09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): received validation completion event
09-Apr-2014 09:41:28.313 ;; validator @0x7f8185000000: dns_validator_destroy
09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): validation OK
09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): clone_results
09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): done
09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): stopeverything
09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): cancelqueries
09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): sendevents
09-Apr-2014 09:41:28.313 ;; validating isc.org/DNSKEY: in dsfetched
09-Apr-2014 09:41:28.313 ;; validating isc.org/DNSKEY: dsset with trust secure
09-Apr-2014 09:41:28.313 ;; validating isc.org/DNSKEY: verify rdataset (keyid=12892): success
09-Apr-2014 09:41:28.313 ;; validating isc.org/DNSKEY: marking as secure (DS)
09-Apr-2014 09:41:28.313 ;; fetch 0x11075a168 (fctx 0x111569430(isc.org/DS)): destroyfetch
09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): shutdown
09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): received validation completion event
09-Apr-2014 09:41:28.313 ;; validator @0x7f818399fc00: dns_validator_destroy
09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): validation OK
09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): clone_results
09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): done
09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): stopeverything
09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): cancelqueries
09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): sendevents
09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): doshutdown
09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): stopeverything
09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): cancelqueries
09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): unlink
09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): destroy
09-Apr-2014 09:41:28.313 ;; fctx 0x1115a9000(org/DNSKEY): doshutdown
09-Apr-2014 09:41:28.313 ;; fctx 0x1115a9000(org/DNSKEY): stopeverything
09-Apr-2014 09:41:28.313 ;; fctx 0x1115a9000(org/DNSKEY): cancelqueries
09-Apr-2014 09:41:28.313 ;; fctx 0x1115a9000(org/DNSKEY): unlink
09-Apr-2014 09:41:28.313 ;; fctx 0x1115a9000(org/DNSKEY): destroy
09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/DS: in fetch_callback_validator
09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/DS: keyset with trust secure
09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/DS: resuming validate
09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/DS: verify rdataset (keyid=4521): success
09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/DS: marking as secure, noqname proof not needed
09-Apr-2014 09:41:28.313 ;; fetch 0x11075a150 (fctx 0x111569000(isc.org/DNSKEY)): destroyfetch
09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): shutdown
09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): received validation completion event
09-Apr-2014 09:41:28.313 ;; validator @0x7f8184021800: dns_validator_destroy
09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): validation OK
09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): clone_results
09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): done
09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): stopeverything
09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): cancelqueries
09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): sendevents
09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/DNSKEY: in dsfetched
09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/DNSKEY: dsset with trust secure
09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/DNSKEY: verify rdataset (keyid=10288): success
09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/DNSKEY: marking as secure (DS)
09-Apr-2014 09:41:28.313 ;; fetch 0x11075a138 (fctx 0x111529860(Dv.isc.org/DS)): destroyfetch
09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): shutdown
09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): received validation completion event
09-Apr-2014 09:41:28.313 ;; validator @0x7f818399ee00: dns_validator_destroy
09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): validation OK
09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): clone_results
09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): done
09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): stopeverything
09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): cancelqueries
09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): sendevents
09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): doshutdown
09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): stopeverything
09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): cancelqueries
09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): unlink
09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): destroy
09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): doshutdown
09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): stopeverything
09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): cancelqueries
09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): unlink
09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): destroy
09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/SOA: in fetch_callback_validator
09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/SOA: keyset with trust secure
09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/SOA: resuming validate
09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/SOA: verify rdataset (keyid=14436): success
09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/SOA: marking as secure, noqname proof not needed
09-Apr-2014 09:41:28.313 ;; fetch 0x11075a120 (fctx 0x111529430(dv.isc.org/DNSKEY)): destroyfetch
09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): shutdown
09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): received validation completion event
09-Apr-2014 09:41:28.313 ;; validator @0x7f8184020a00: dns_validator_destroy
09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): validation OK
09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): clone_results
09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): done
09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): stopeverything
09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): cancelqueries
09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): sendevents
09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): doshutdown
09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): stopeverything
09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): cancelqueries
09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): unlink
09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): destroy
09-Apr-2014 09:41:28.313 ;; fetch 0x11075a0a8 (fctx 0x111529000(dv.isc.org/SOA)): destroyfetch
09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): shutdown
09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): doshutdown
09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): stopeverything
09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): cancelqueries
09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): unlink
09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): destroy
09-Apr-2014 09:41:28.313 ;; res 0x11076f000: shutdown
09-Apr-2014 09:41:28.313 ;; res 0x11076f000: exiting
09-Apr-2014 09:41:28.320 ;; dns_requestmgr_shutdown: 0x110774000
09-Apr-2014 09:41:28.320 ;; send_shutdown_events: 0x110774000
09-Apr-2014 09:41:28.320 ;; res 0x11076f000: detach
09-Apr-2014 09:41:28.321 ;; res 0x11076f000: destroy
09-Apr-2014 09:41:28.321 ;; dns_requestmgr_detach: 0x110774000: eref 0 iref 0
09-Apr-2014 09:41:28.321 ;; mgr_destroy
09-Apr-2014 09:41:28.321 ;; calling free_rbtdb(.)
09-Apr-2014 09:41:28.321 ;; done free_rbtdb(.)
; fully validated
dv.isc.org.		3532	IN	SOA	bsdi.dv.isc.org. marka.isc.org. 2007111528 86400 21600 2419200 86400
dv.isc.org.		3532	IN	RRSIG	SOA 5 3 3600 20140606234902 20140407224902 14436 dv.isc.org. i8fBym000/fiC3XrQ1B0spgppClOyQfdQiPq3p2228bSYR86NzxOqpUL 2YBya9120KctdiLBOpeUEIf285TzxA==



> The intersection of the position Wes takes and mine is some sort
> of 'assured' AD bit, which I am not opposed to in principle, provided
> this is in fact a reasonable plan of action.
> 
> So for example, extending libresolv to match long-established BSD
> semantics to improve thread safety and provide more application
> control would suffice, res_ninit(), res_setservers(), ...  plus
> ideally the ability to set the "AD" bit in the request (rather than
> "DO", reducing the quantity of unnecessary bloat in the reply).
> 
> That way applications that want a local resolver can be configured
> to use one, and can make appropriate fallback decisions if one is
> not available.
> 
> As for *censoring* the AD bit, that approach is likely more
> problematic and I think is where Paul Wouters and Petr part ways...
> 
> So please make it possible in all the various DNS APIs (that don't
> already do this) for the stub resolver to override the default
> nameserver list (static or insecurely obtained from DHCP).  Give
> the stub resolver more control over the "AD" and "DO" bits, and
> think long and hard about whether censoring is a viable approach
> it may well be a bad idea.
> 
> -- 
> 	Viktor.
> 
> _______________________________________________
> dane mailing list
> dane@ietf.org
> https://www.ietf.org/mailman/listinfo/dane
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org