Re: [dane] AD bit handling in stub-resolvers: conclusions and compromises
Mark Andrews <marka@isc.org> Tue, 08 April 2014 23:50 UTC
Return-Path: <marka@isc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D5181A0710 for <dane@ietfa.amsl.com>; Tue, 8 Apr 2014 16:50:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.273
X-Spam-Level:
X-Spam-Status: No, score=-3.273 tagged_above=-999 required=5 tests=[BAYES_50=0.8, J_CHICKENPOX_25=0.6, J_CHICKENPOX_34=0.6, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hVu1OVVn4Ajr for <dane@ietfa.amsl.com>; Tue, 8 Apr 2014 16:50:42 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) by ietfa.amsl.com (Postfix) with ESMTP id CC20A1A02F6 for <dane@ietf.org>; Tue, 8 Apr 2014 16:50:41 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.ams1.isc.org (Postfix) with ESMTP id 4A2B42383DD for <dane@ietf.org>; Tue, 8 Apr 2014 23:50:29 +0000 (UTC) (envelope-from marka@isc.org)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 0DC4C160068 for <dane@ietf.org>; Tue, 8 Apr 2014 23:52:05 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id 034D5160066 for <dane@ietf.org>; Tue, 8 Apr 2014 23:52:04 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 757001343582 for <dane@ietf.org>; Wed, 9 Apr 2014 09:50:25 +1000 (EST)
To: dane@ietf.org
From: Mark Andrews <marka@isc.org>
References: <533EB433.5060204@redhat.com> <0lha63rb6i.fsf@wjh.hardakers.net> <20140408174936.GL12559@mournblade.imrryr.org>
In-reply-to: Your message of "Tue, 08 Apr 2014 17:49:37 +0000." <20140408174936.GL12559@mournblade.imrryr.org>
Date: Wed, 09 Apr 2014 09:50:25 +1000
Message-Id: <20140408235025.757001343582@rock.dv.isc.org>
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/qqF0dC_c89VyMOocyJGWcKdOgC4
Subject: Re: [dane] AD bit handling in stub-resolvers: conclusions and compromises
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Apr 2014 23:50:47 -0000
In message <20140408174936.GL12559@mournblade.imrryr.org>, Viktor Dukhovni write s: > On Tue, Apr 08, 2014 at 10:19:33AM -0700, Wes Hardaker wrote: > > > Petr Spacek <pspacek@redhat.com> writes: > > > > > It seems that almost everyone agree that local validating resolver is the > > > best option. > > > > I failed to pipe up before, unfortunately. > > > > But, no I don't agree that's the best solution. The reality is that in > > some cases we're making *security decisions* based on the results of a > > flag that we're not 100% sure of the source. Without doing something > > like replacing the system library's notion of even looking at > > resolv.conf and only looking for 127.0.0.1, then you can't be 100% sure > > that the bit you get back is actually trustable. If the default install > > of the OS does the right thing, who's to say it'll stay that way. > > This is where Wes and I part ways somewhat, but fortunately, this > issue is not an impediment to the SMTP DANE draft. > > > As an application author who might want absolute assurance that DNSSEC > > was done (because I'm bootstrapping TLS or SSH or ... off of it), then > > my ideal situation is to have a local resolver for caching purposes, but > > to actually do validation in-application. > > For me doing it in application, means costly integration of complex > code into the application that will add considerable latency because > the application will have a cold DNSSEC cache (and will now need > a cache where one was not needed before... The Plan-9 approach of > moving security features into system services is I think far > preferable. What latency? This is the output of delve (see BIND 9.10) which is a is standalone stub validator talking to a local validating resolver doing a full validation from the root. This uses exactly the same code that named uses to validate its answers. The only difference is a slightly different cache implementation is used. 28.321 - 28.298 = 00.023 from start to finish. The only change I made was to make the logging print out timestamps. 09-Apr-2014 09:41:28.298 ;; res 0x11076f000: create 09-Apr-2014 09:41:28.300 ;; adb: task-exclusive mode unavailable, intializing table sizes to 49193 09-Apr-2014 09:41:28.306 ;; dns_requestmgr_create 09-Apr-2014 09:41:28.306 ;; dns_requestmgr_create: 0x110774000 09-Apr-2014 09:41:28.306 ;; dns_requestmgr_whenshutdown 09-Apr-2014 09:41:28.307 ;; adding DLV trust anchor dlv.isc.org 09-Apr-2014 09:41:28.307 ;; adding trust anchor . 09-Apr-2014 09:41:28.307 ;; fetch: dv.isc.org/SOA 09-Apr-2014 09:41:28.307 ;; fctx 0x111529000(dv.isc.org/SOA): create 09-Apr-2014 09:41:28.307 ;; log_ns_ttl: fctx 0x111529000: fctx_create: dv.isc.org (in '.'?): 0 0 09-Apr-2014 09:41:28.307 ;; fctx 0x111529000(dv.isc.org/SOA): join 09-Apr-2014 09:41:28.307 ;; fetch 0x11075a0a8 (fctx 0x111529000(dv.isc.org/SOA)): created 09-Apr-2014 09:41:28.307 ;; fctx 0x111529000(dv.isc.org/SOA): start 09-Apr-2014 09:41:28.307 ;; fctx 0x111529000(dv.isc.org/SOA): try 09-Apr-2014 09:41:28.307 ;; fctx 0x111529000(dv.isc.org/SOA): cancelqueries 09-Apr-2014 09:41:28.307 ;; fctx 0x111529000(dv.isc.org/SOA): getaddresses 09-Apr-2014 09:41:28.307 ;; fctx 0x111529000(dv.isc.org/SOA): query 09-Apr-2014 09:41:28.307 ;; resquery 0x11152f000 (fctx 0x111529000(dv.isc.org/SOA)): send 09-Apr-2014 09:41:28.307 ;; resquery 0x11152f000 (fctx 0x111529000(dv.isc.org/SOA)): sent 09-Apr-2014 09:41:28.307 ;; resquery 0x11152f000 (fctx 0x111529000(dv.isc.org/SOA)): senddone 09-Apr-2014 09:41:28.308 ;; resquery 0x11152f000 (fctx 0x111529000(dv.isc.org/SOA)): response 09-Apr-2014 09:41:28.308 ;; received packet: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4409 ;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; SIT: 2d8cf3496b58375c57ed3b5b53448928f199cb69a8065b4d ;; QUESTION SECTION: ;dv.isc.org. IN SOA ;; ANSWER SECTION: ;Dv.isc.org. 3532 IN SOA bsdi.dv.isc.org. marka.isc.org. ( ; 2007111528 ; serial ; 86400 ; refresh (1 day) ; 21600 ; retry (6 hours) ; 2419200 ; expire (4 weeks) ; 86400 ; minimum (1 day) ; ) ;Dv.isc.org. 3532 IN RRSIG SOA 5 3 3600 ( ; 20140606234902 20140407224902 14436 dv.isc.org. ; i8fBym000/fiC3XrQ1B0spgppClO ; yQfdQiPq3p2228bSYR86NzxOqpUL ; 2YBya9120KctdiLBOpeUEIf285Tz ; xA== ) ;; AUTHORITY SECTION: ;Dv.isc.org. 5842 IN NS bsdi1.dv.isc.org. ;Dv.isc.org. 5842 IN NS drugs.dv.isc.org. ;Dv.isc.org. 5842 IN RRSIG NS 5 3 86400 ( ; 20140520164117 20140321164013 14436 dv.isc.org. ; uRGZe6K+C3wzVaOscR/+Cf1xwimw ; TuPim/lW/q/lzPzLx1B39IQXEc1Y ; Jl6zkARqafYXstPBDrLvHmV1x0FE ; jQ== ) 09-Apr-2014 09:41:28.308 ;; fctx 0x111529000(dv.isc.org/SOA): answer_response 09-Apr-2014 09:41:28.308 ;; log_ns_ttl: fctx 0x111529000: answer_response: dv.isc.org (in '.'?): 0 0 09-Apr-2014 09:41:28.308 ;; fctx 0x111529000(dv.isc.org/SOA): cache_message 09-Apr-2014 09:41:28.308 ;; decrement_reference: delete from rbt: 0x11077e078 Dv.isc.org 09-Apr-2014 09:41:28.308 ;; fctx 0x111529000(dv.isc.org/SOA): cancelquery 09-Apr-2014 09:41:28.308 ;; fctx 0x111529000(dv.isc.org/SOA): wait for validator 09-Apr-2014 09:41:28.308 ;; fctx 0x111529000(dv.isc.org/SOA): cancelqueries 09-Apr-2014 09:41:28.308 ;; validating Dv.isc.org/SOA: starting 09-Apr-2014 09:41:28.308 ;; validating Dv.isc.org/SOA: attempting positive response validation 09-Apr-2014 09:41:28.308 ;; validating Dv.isc.org/SOA: get_key: creating fetch for dv.isc.org DNSKEY 09-Apr-2014 09:41:28.308 ;; fetch: dv.isc.org/DNSKEY 09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): create 09-Apr-2014 09:41:28.308 ;; log_ns_ttl: fctx 0x111529430: fctx_create: dv.isc.org (in '.'?): 0 0 09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): join 09-Apr-2014 09:41:28.308 ;; fetch 0x11075a120 (fctx 0x111529430(dv.isc.org/DNSKEY)): created 09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): start 09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): try 09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): cancelqueries 09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): getaddresses 09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): query 09-Apr-2014 09:41:28.308 ;; resquery 0x11152f000 (fctx 0x111529430(dv.isc.org/DNSKEY)): send 09-Apr-2014 09:41:28.308 ;; resquery 0x11152f000 (fctx 0x111529430(dv.isc.org/DNSKEY)): sent 09-Apr-2014 09:41:28.308 ;; resquery 0x11152f000 (fctx 0x111529430(dv.isc.org/DNSKEY)): senddone 09-Apr-2014 09:41:28.308 ;; resquery 0x11152f000 (fctx 0x111529430(dv.isc.org/DNSKEY)): response 09-Apr-2014 09:41:28.308 ;; received packet: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17780 ;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; SIT: 2d8cf3496b58375c71d56ac853448928ef24558c8085c830 ;; QUESTION SECTION: ;dv.isc.org. IN DNSKEY ;; ANSWER SECTION: ;Dv.isc.org. 5842 IN DNSKEY 257 3 5 ( ; AwEAAbatyuBZQjJB6WnkeFMGIDNU ; UMHDSFOsvcjVarCYaN5c5lg56SAL ; PpvkbauGnt2S6coHqKG6o36hwoNm ; J4Qjc94FU9Bzsg60pyviSrnFJT3l ; 13W+jTEoXU3pRk9f4182ffL/aKdI ; wW0dDuMphPyjqaomSeBfjnojhD+Q ; Li144lOl ; ) ; KSK; alg = RSASHA1; key id = 10288 ;Dv.isc.org. 5842 IN DNSKEY 256 3 5 ( ; AwEAAePX2qjqzu9uE79fDAwb99GH ; 1xnF6b+dsRqHOnmKldHWTb3KX2Yp ; WzuDKQZpISkakn0mf32FHp5iuu8H ; 5VOkcf0= ; ) ; ZSK; alg = RSASHA1; key id = 14436 ;Dv.isc.org. 5842 IN RRSIG DNSKEY 5 3 86400 ( ; 20140520204428 20140321202107 10288 dv.isc.org. ; imsRQCYCmv6yf6viAO+lfp1bEKfK ; VKD1BmZEfrmE1cTaW9k8mEjgNmhM ; nt7XdZ1XQslygbl1VRl1hBntp/kA ; Rqwq3s+Hd84hIZjt2ThXji3uBWoE ; jmzuhqq3mJufle8CXUR68Jrp04Pd ; jSIeXVsYm8JIlVlnTWzXj505IGG7 ; Uh0= ) ;Dv.isc.org. 5842 IN RRSIG DNSKEY 5 3 86400 ( ; 20140520204428 20140321202107 14436 dv.isc.org. ; axyw6FZGW+HlGLTQP8yhG+DHdefK ; 42nZCWX4Gv3sQtovUOkS0NaucJF1 ; 65nZR4s5qWj+/yGVgjKw/zco7RLu ; pg== ) 09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): answer_response 09-Apr-2014 09:41:28.308 ;; log_ns_ttl: fctx 0x111529430: answer_response: dv.isc.org (in '.'?): 0 0 09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): cache_message 09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): cancelquery 09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): wait for validator 09-Apr-2014 09:41:28.308 ;; fctx 0x111529430(dv.isc.org/DNSKEY): cancelqueries 09-Apr-2014 09:41:28.308 ;; validating Dv.isc.org/DNSKEY: starting 09-Apr-2014 09:41:28.308 ;; validating Dv.isc.org/DNSKEY: attempting positive response validation 09-Apr-2014 09:41:28.308 ;; validating Dv.isc.org/DNSKEY: validatezonekey: creating fetch for Dv.isc.org DS 09-Apr-2014 09:41:28.308 ;; fetch: Dv.isc.org/DS 09-Apr-2014 09:41:28.308 ;; fctx 0x111529860(Dv.isc.org/DS): create 09-Apr-2014 09:41:28.308 ;; log_ns_ttl: fctx 0x111529860: fctx_create: Dv.isc.org (in '.'?): 0 0 09-Apr-2014 09:41:28.308 ;; fctx 0x111529860(Dv.isc.org/DS): join 09-Apr-2014 09:41:28.308 ;; fetch 0x11075a138 (fctx 0x111529860(Dv.isc.org/DS)): created 09-Apr-2014 09:41:28.308 ;; fctx 0x111529860(Dv.isc.org/DS): start 09-Apr-2014 09:41:28.308 ;; fctx 0x111529860(Dv.isc.org/DS): try 09-Apr-2014 09:41:28.308 ;; fctx 0x111529860(Dv.isc.org/DS): cancelqueries 09-Apr-2014 09:41:28.309 ;; fctx 0x111529860(Dv.isc.org/DS): getaddresses 09-Apr-2014 09:41:28.309 ;; fctx 0x111529860(Dv.isc.org/DS): query 09-Apr-2014 09:41:28.309 ;; resquery 0x11152f000 (fctx 0x111529860(Dv.isc.org/DS)): send 09-Apr-2014 09:41:28.309 ;; resquery 0x11152f000 (fctx 0x111529860(Dv.isc.org/DS)): sent 09-Apr-2014 09:41:28.309 ;; resquery 0x11152f000 (fctx 0x111529860(Dv.isc.org/DS)): senddone 09-Apr-2014 09:41:28.309 ;; resquery 0x11152f000 (fctx 0x111529860(Dv.isc.org/DS)): response 09-Apr-2014 09:41:28.309 ;; received packet: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16583 ;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; SIT: 2d8cf3496b58375c42f44fcf53448928f6f346b94566391e ;; QUESTION SECTION: ;Dv.isc.org. IN DS ;; ANSWER SECTION: ;Dv.isc.org. 6130 IN DS 10288 5 2 ( ; 6D9CD532BC5E7EE6404EB019048F ; C9727A970854EF0375364F8F6ED5 ; 4A8DA73B ) ;Dv.isc.org. 6130 IN DS 10288 5 1 ( ; 22F103696F795206A7373850444C ; 6F4DA61D0076 ) ;Dv.isc.org. 6130 IN RRSIG DS 5 3 7200 ( ; 20140507233241 20140407233241 4521 isc.org. ; pmz1rcVQRr3lbnBDp36ew3oz44gT ; GJgI4RvyyAapOyGP8Fa1flG5BKYQ ; Fo5G68OhMLVupXhys2mo9BQoEx/z ; ydbVkHuciBK3qKEvHUiq69e/iGuv ; dRjWopgv0uY8o0rSPabVpoa07I1P ; Hj8+682Ku9TGLmyNelpNuhz7bgq7 ; GBE= ) 09-Apr-2014 09:41:28.309 ;; fctx 0x111529860(Dv.isc.org/DS): answer_response 09-Apr-2014 09:41:28.309 ;; log_ns_ttl: fctx 0x111529860: answer_response: Dv.isc.org (in '.'?): 0 0 09-Apr-2014 09:41:28.309 ;; fctx 0x111529860(Dv.isc.org/DS): cache_message 09-Apr-2014 09:41:28.309 ;; fctx 0x111529860(Dv.isc.org/DS): cancelquery 09-Apr-2014 09:41:28.309 ;; fctx 0x111529860(Dv.isc.org/DS): wait for validator 09-Apr-2014 09:41:28.309 ;; fctx 0x111529860(Dv.isc.org/DS): cancelqueries 09-Apr-2014 09:41:28.309 ;; validating Dv.isc.org/DS: starting 09-Apr-2014 09:41:28.309 ;; validating Dv.isc.org/DS: attempting positive response validation 09-Apr-2014 09:41:28.309 ;; validating Dv.isc.org/DS: get_key: creating fetch for isc.org DNSKEY 09-Apr-2014 09:41:28.309 ;; fetch: isc.org/DNSKEY 09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): create 09-Apr-2014 09:41:28.309 ;; log_ns_ttl: fctx 0x111569000: fctx_create: isc.org (in '.'?): 0 0 09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): join 09-Apr-2014 09:41:28.309 ;; fetch 0x11075a150 (fctx 0x111569000(isc.org/DNSKEY)): created 09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): start 09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): try 09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): cancelqueries 09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): getaddresses 09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): query 09-Apr-2014 09:41:28.309 ;; resquery 0x11156f000 (fctx 0x111569000(isc.org/DNSKEY)): send 09-Apr-2014 09:41:28.309 ;; resquery 0x11156f000 (fctx 0x111569000(isc.org/DNSKEY)): sent 09-Apr-2014 09:41:28.309 ;; resquery 0x11156f000 (fctx 0x111569000(isc.org/DNSKEY)): senddone 09-Apr-2014 09:41:28.309 ;; resquery 0x11156f000 (fctx 0x111569000(isc.org/DNSKEY)): response 09-Apr-2014 09:41:28.309 ;; received packet: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15856 ;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; SIT: 2d8cf3496b58375ca839dce553448928545eebc5e1402641 ;; QUESTION SECTION: ;isc.org. IN DNSKEY ;; ANSWER SECTION: ;isc.org. 5395 IN DNSKEY 256 3 5 ( ; AwEAAbJpDF4RemdHHE/HrJJhR3zp ; zAQ6zsHqFv0i4lCWTUf4sX+cq3vS ; u7fKO4QJtm97S1sbcnmHonVE3QPz ; LOsqsY630Wy5JzrPK3gUvQLgfIso ; vo2v+dosITL8WbvjU1mEXhIwfuuB ; hYmYSKySZ0X9gpHGhdxRd+J8M7ri ; PfN7kHLP ; ) ; ZSK; alg = RSASHA1; key id = 4521 ;isc.org. 5395 IN DNSKEY 257 3 5 ( ; BEAAAAOhHQDBrhQbtphgq2wQUpEQ ; 5t4DtUHxoMVFu2hWLDMvoOMRXjGr ; hhCeFvAZih7yJHf8ZGfW6hd38hXG ; /xylYCO6Krpbdojwx8YMXLA5/kA+ ; u50WIL8ZR1R6KTbsYVMf/Qx5RiNb ; PClw+vT+U8eXEJmO20jIS1ULgqy3 ; 47cBB1zMnnz/4LJpA0da9CbKj3A2 ; 54T515sNIMcwsB8/2+2E63/zZrQz ; Bkj0BrN/9Bexjpiks3jRhZatEsXn ; 3dTy47R09Uix5WcJt+xzqZ7+ysyL ; KOOedS39Z7SDmsn2eA0FKtQpwA6L ; XeG2w+jxmw3oA8lVUgEf/rzeC/bB ; yBNsO70aEFTd ; ) ; KSK; alg = RSASHA1; key id = 12892 ;isc.org. 5395 IN RRSIG DNSKEY 5 2 7200 ( ; 20140507230126 20140407230126 4521 isc.org. ; dcmQwSpa00DJ8pd2PBKJxRyZ+ax4 ; r/VBliEh2x5v/CUurfQfGIbnn+ZW ; Pz4EnRkDkiComnwEQo4jfMRjv3S3 ; ltz9L0Xi5XVlr+bhyc7OeDdGhdG6 ; SsEgyLvQ92Jg1wFeVLIkIieTnqps ; O3EvjR6eY83Rc266ubk8MvnFcpJg ; 0m0= ) ;isc.org. 5395 IN RRSIG DNSKEY 5 2 7200 ( ; 20140507230126 20140407230126 12892 isc.org. ; j4k8SwlG6sibrmqhe810xEWxqf4p ; AuBRkDTOcZM4j5CFdffOjwt01Uhp ; tiQ7mMfOPQcygD3WzQz5oC8J+BYe ; mCH4cSwj/pprX/7VLuxeIp/NnD7A ; vBfc884aoLDFMWFzLq7f98eHhfnK ; ui1LY568G67n9rKF1TFk3TIcEoQS ; oRt5U02ATgkF59fpVQZYg5B1dBIp ; CAm2puOWuAHy4nXINYBjItqfNEtg ; 1cbJBa7IRQWaaZY9+CVHKShs3GYg ; 6/1WMwgWwadl4/6ySy0/m71H3aCx ; fBETFZ5pY4VpjvMOghbioGrpse9E ; +C3wRAU9NGkJMSESwIez/YpE72NO ; u470Og== ) 09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): answer_response 09-Apr-2014 09:41:28.309 ;; log_ns_ttl: fctx 0x111569000: answer_response: isc.org (in '.'?): 0 0 09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): cache_message 09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): cancelquery 09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): wait for validator 09-Apr-2014 09:41:28.309 ;; fctx 0x111569000(isc.org/DNSKEY): cancelqueries 09-Apr-2014 09:41:28.309 ;; validating isc.org/DNSKEY: starting 09-Apr-2014 09:41:28.309 ;; validating isc.org/DNSKEY: attempting positive response validation 09-Apr-2014 09:41:28.310 ;; validating isc.org/DNSKEY: validatezonekey: creating fetch for isc.org DS 09-Apr-2014 09:41:28.310 ;; fetch: isc.org/DS 09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): create 09-Apr-2014 09:41:28.310 ;; log_ns_ttl: fctx 0x111569430: fctx_create: isc.org (in '.'?): 0 0 09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): join 09-Apr-2014 09:41:28.310 ;; fetch 0x11075a168 (fctx 0x111569430(isc.org/DS)): created 09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): start 09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): try 09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): cancelqueries 09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): getaddresses 09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): query 09-Apr-2014 09:41:28.310 ;; resquery 0x11156f000 (fctx 0x111569430(isc.org/DS)): send 09-Apr-2014 09:41:28.310 ;; resquery 0x11156f000 (fctx 0x111569430(isc.org/DS)): sent 09-Apr-2014 09:41:28.310 ;; resquery 0x11156f000 (fctx 0x111569430(isc.org/DS)): senddone 09-Apr-2014 09:41:28.310 ;; resquery 0x11156f000 (fctx 0x111569430(isc.org/DS)): response 09-Apr-2014 09:41:28.310 ;; received packet: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31640 ;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; SIT: 2d8cf3496b58375cda8ad76953448928e7787e67a66486d6 ;; QUESTION SECTION: ;isc.org. IN DS ;; ANSWER SECTION: ;isc.org. 5504 IN DS 12892 5 2 ( ; F1E184C0E1D615D20EB3C223ACED ; 3B03C773DD952D5F0EB5C777586D ; E18DA6B5 ) ;isc.org. 5504 IN DS 12892 5 1 ( ; 982113D08B4C6A1D9F6AEE1E2237 ; AEF69F3F9759 ) ;isc.org. 5504 IN RRSIG DS 7 2 86400 ( ; 20140422155313 20140401145313 28794 org. ; FoLFvxVMRXkdLg5wumU9Lf9uIFT9 ; lknz1zQPRAjNZlc/3Nq2hZMIELGT ; K26uQwFbAj/04XNJCnm34FVdYSWF ; P/y8V+4MimPpKLC3rt7sNKJlIhbH ; LLuIVr1l70WaaJ2NyKk6AgnRYY3D ; LSahHXXk/3sG+WWqI8UHBWTdi0up ; oqk= ) 09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): answer_response 09-Apr-2014 09:41:28.310 ;; log_ns_ttl: fctx 0x111569430: answer_response: isc.org (in '.'?): 0 0 09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): cache_message 09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): cancelquery 09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): wait for validator 09-Apr-2014 09:41:28.310 ;; fctx 0x111569430(isc.org/DS): cancelqueries 09-Apr-2014 09:41:28.310 ;; validating isc.org/DS: starting 09-Apr-2014 09:41:28.310 ;; validating isc.org/DS: attempting positive response validation 09-Apr-2014 09:41:28.310 ;; validating isc.org/DS: get_key: creating fetch for org DNSKEY 09-Apr-2014 09:41:28.310 ;; fetch: org/DNSKEY 09-Apr-2014 09:41:28.310 ;; fctx 0x1115a9000(org/DNSKEY): create 09-Apr-2014 09:41:28.310 ;; log_ns_ttl: fctx 0x1115a9000: fctx_create: org (in '.'?): 0 0 09-Apr-2014 09:41:28.310 ;; fctx 0x1115a9000(org/DNSKEY): join 09-Apr-2014 09:41:28.310 ;; fetch 0x11075a180 (fctx 0x1115a9000(org/DNSKEY)): created 09-Apr-2014 09:41:28.310 ;; fctx 0x1115a9000(org/DNSKEY): start 09-Apr-2014 09:41:28.310 ;; fctx 0x1115a9000(org/DNSKEY): try 09-Apr-2014 09:41:28.310 ;; fctx 0x1115a9000(org/DNSKEY): cancelqueries 09-Apr-2014 09:41:28.310 ;; fctx 0x1115a9000(org/DNSKEY): getaddresses 09-Apr-2014 09:41:28.310 ;; fctx 0x1115a9000(org/DNSKEY): query 09-Apr-2014 09:41:28.310 ;; resquery 0x1115af000 (fctx 0x1115a9000(org/DNSKEY)): send 09-Apr-2014 09:41:28.310 ;; resquery 0x1115af000 (fctx 0x1115a9000(org/DNSKEY)): sent 09-Apr-2014 09:41:28.310 ;; resquery 0x1115af000 (fctx 0x1115a9000(org/DNSKEY)): senddone 09-Apr-2014 09:41:28.310 ;; resquery 0x1115af000 (fctx 0x1115a9000(org/DNSKEY)): response 09-Apr-2014 09:41:28.310 ;; received packet: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57451 ;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; SIT: 2d8cf3496b58375c277da90653448928b346e9460f9b5cbb ;; QUESTION SECTION: ;org. IN DNSKEY ;; ANSWER SECTION: ;org. 832 IN DNSKEY 256 3 7 ( ; AwEAAYhrCBtYGnFviZ921MUyk5MD ; 1Ywzz9fLytgGY6enAgn9fFKjlhNp ; KFDCLxrzrFkPV8OCA2DtefVzIqaw ; TuHV1zjYgYZgx0nUn4zXVnxFSl4X ; 1CyXPT/AMPOrAw+cN38oxVQs2FDL ; aLwwmcxXmk3mBwTgu3fGHpmjdA5D ; /3TPeAjX ; ) ; ZSK; alg = NSEC3RSASHA1; key id = 28794 ;org. 832 IN DNSKEY 256 3 7 ( ; AwEAAa+yHvpOo3f7XS1vtKPGH6AD ; 1OkmYUtnRlkkCO9BKJ0OCCvYSWh5 ; NWLJjIMXRzVpituqoLtiYfhdDYQH ; 5JzRVW6lCtT+2SiWmEx+7GnSyMT4 ; 8858uC02AYlJVfbitCpoGGdzyLTi ; MxtMlztpRyCAvaDujnx+2GBo7zgb ; 50f5gQJp ; ) ; ZSK; alg = NSEC3RSASHA1; key id = 1829 ;org. 832 IN DNSKEY 257 3 7 ( ; AwEAAZTjbIO5kIpxWUtyXc8avsKy ; HIIZ+LjC2Dv8naO+Tz6X2fqzDC1b ; dq7HlZwtkaqTkMVVJ+8gE9FIreGJ ; 4c8G1GdbjQgbP1OyYIG7OHTc4hv5 ; T2NlyWr6k6QFz98Q4zwFIGTFVvwB ; hmrMDYsOTtXakK6QwHovA1+83BsU ; ACxlidpwB0hQacbD6x+I2RCDzYuT ; zj64Jv0/9XsX6AYV3ebcgn4hL1jI ; R2eJYyXlrAoWxdzxcW//5yeL5RVW ; uhRxejmnSVnCuxkfS4AQ485KH2tp ; dbWcCopLJZs6tw8q3jWcpTGzdh/v ; 3xdYfNpQNcPImFlxAun3BtORPA2r ; 8ti6MNoJEHU= ; ) ; KSK; alg = NSEC3RSASHA1; key id = 9795 ;org. 832 IN DNSKEY 257 3 7 ( ; AwEAAYpYfj3aaRzzkxWQqMdl7YEx ; Y81NdYSv+qayuZDodnZ9IMh0bwMc ; YaVUdzNAbVeJ8gd6jq1sR3VvP/SR ; 36mmGssbV4Udl5ORDtqiZP2TDNDH ; xEnKKTX+jWfytZeT7d3AbSzBKC0v ; 7uZrM6M2eoJnl6id66rEUmQC2p9D ; rrDg9F6tXC9CD/zC7/y+BNNpiOdn ; M5DXk7HhZm7ra9E7ltL13h2mx7kE ; gU8e6npJlCoXjraIBgUDthYs48W/ ; sdTDLu7N59rjCG+bpil+c8oZ9f7N ; R3qmSTpTP1m86RqUQnVErifrH8Kj ; DqL+3wzUdF5ACkYwt1XhPVPU+wSI ; lzbaAQN49PU= ; ) ; KSK; alg = NSEC3RSASHA1; key id = 21366 ;org. 832 IN RRSIG DNSKEY 7 1 900 ( ; 20140422155313 20140401145313 9795 org. ; U5EosaoqM0jPBPVdL08D5wilaHoH ; gcOHM3RNP0hwzv5lQg8JBtq6wZGA ; YUHstIDTD6LGxR3vLmZGeEHobtxk ; aNIp/TW1W/zB9SOySTK1DrnMKjYd ; yi64LbP/XvSv/Fpa29DVkIbU1REs ; dPSwWyurw1nKiAGUld1AYeGwU1Zi ; wwqHk6SB+ohZPmv7J9BgIjvSwswr ; PudynzIbyb1Y7bmI82nEo/FmX3qa ; YwLXkjsH50BYwAYH1C8CoAeg/fpg ; P+3b8JRx1M55EzAJNQqVL4nHtqdW ; 4FSV8h3t5pFzLwVpo3lLiKXQj8Di ; QVTT2JkHqOTnnhlvHG5BDZVykLn2 ; YNxXNQ== ) ;org. 832 IN RRSIG DNSKEY 7 1 900 ( ; 20140422155313 20140401145313 21366 org. ; JXhlQLDrtfK2ZdXQzdoygZnXNFfa ; 7/lPubNgrUmL46dYo1K07UL0yDkn ; fhKYrBd7WhES9koX8gR8m3sb4RJj ; MvtDi0VOOaxI8kCO6ltNQ5h8NKgw ; WEur+w25EwRjWRychohiIchXLXyK ; X7mTqUolhVCIfSJGShKLLW8ffYTV ; eNHP/3FdSu37RNqLsOn+pfaLbhK+ ; MNnwbb/UQbxCPFAkuZCy5JDaUsW0 ; JuqrhMei0EdzGb6qYPk9ZDtCWqZG ; T+yIdypqWOhM4Eqm8KnHsLbzQlnf ; ON7gi1ZOIIXoaX+Apo2I8venXqFw ; xuLTmhvJAkPCqA06oYvkHWf0/yxO ; x+JkVQ== ) ;org. 832 IN RRSIG DNSKEY 7 1 900 ( ; 20140422155313 20140401145313 28794 org. ; aHnCxEKmD9y/ZTBnrSu6ZDIhF+hB ; usJ3XKtBf8ubDrVZcvz8KUT812cL ; Se16T9pqVOMSoBp5ywGWrieaEsip ; XXcNjuzuL+5xbxLmnhnv2aiuapNk ; 0siZxvMPs+LV1Gw7Je2wj0o1qRgt ; TwoFVREPLDkbkEMdXqxrdWmTwVna ; OK8= ) 09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9000(org/DNSKEY): answer_response 09-Apr-2014 09:41:28.311 ;; log_ns_ttl: fctx 0x1115a9000: answer_response: org (in '.'?): 0 0 09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9000(org/DNSKEY): cache_message 09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9000(org/DNSKEY): cancelquery 09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9000(org/DNSKEY): wait for validator 09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9000(org/DNSKEY): cancelqueries 09-Apr-2014 09:41:28.311 ;; validating org/DNSKEY: starting 09-Apr-2014 09:41:28.311 ;; validating org/DNSKEY: attempting positive response validation 09-Apr-2014 09:41:28.311 ;; validating org/DNSKEY: validatezonekey: creating fetch for org DS 09-Apr-2014 09:41:28.311 ;; fetch: org/DS 09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): create 09-Apr-2014 09:41:28.311 ;; log_ns_ttl: fctx 0x1115a9430: fctx_create: org (in '.'?): 0 0 09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): join 09-Apr-2014 09:41:28.311 ;; fetch 0x11075a198 (fctx 0x1115a9430(org/DS)): created 09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): start 09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): try 09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): cancelqueries 09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): getaddresses 09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): query 09-Apr-2014 09:41:28.311 ;; resquery 0x1115af000 (fctx 0x1115a9430(org/DS)): send 09-Apr-2014 09:41:28.311 ;; resquery 0x1115af000 (fctx 0x1115a9430(org/DS)): sent 09-Apr-2014 09:41:28.311 ;; resquery 0x1115af000 (fctx 0x1115a9430(org/DS)): senddone 09-Apr-2014 09:41:28.311 ;; resquery 0x1115af000 (fctx 0x1115a9430(org/DS)): response 09-Apr-2014 09:41:28.311 ;; received packet: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33728 ;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; SIT: 2d8cf3496b58375c3ca580375344892853012c63813507b5 ;; QUESTION SECTION: ;org. IN DS ;; ANSWER SECTION: ;org. 5504 IN DS 21366 7 1 ( ; E6C1716CFB6BDC84E84CE1AB5510 ; DAC69173B5B2 ) ;org. 5504 IN DS 21366 7 2 ( ; 96EEB2FFD9B00CD4694E78278B5E ; FDAB0A80446567B69F634DA078F0 ; D90F01BA ) ;org. 5504 IN RRSIG DS 8 1 86400 ( ; 20140414000000 20140406230000 40926 . ; hfVkPJGvRpXmvforixrVo77PO1/W ; Ipaa4cnp/XPrwk9csyo64zAWaCZL ; +kt5jBCSDlAfpX6cDASN4ueGXajm ; q8nVyrCT5QvuyHgWJQG0CjtcFgtC ; DxnWQHAaHdq9IwsuRYCAutjJo9yQ ; G8PdlUlTZWE8Rzn9UmRlw6KE212y ; CgI= ) 09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): answer_response 09-Apr-2014 09:41:28.311 ;; log_ns_ttl: fctx 0x1115a9430: answer_response: org (in '.'?): 0 0 09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): cache_message 09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): cancelquery 09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): wait for validator 09-Apr-2014 09:41:28.311 ;; fctx 0x1115a9430(org/DS): cancelqueries 09-Apr-2014 09:41:28.311 ;; validating org/DS: starting 09-Apr-2014 09:41:28.311 ;; validating org/DS: attempting positive response validation 09-Apr-2014 09:41:28.311 ;; validating org/DS: get_key: creating fetch for . DNSKEY 09-Apr-2014 09:41:28.311 ;; fetch: ./DNSKEY 09-Apr-2014 09:41:28.311 ;; fctx 0x1115e9000(./DNSKEY): create 09-Apr-2014 09:41:28.311 ;; log_ns_ttl: fctx 0x1115e9000: fctx_create: . (in '.'?): 0 0 09-Apr-2014 09:41:28.311 ;; fctx 0x1115e9000(./DNSKEY): join 09-Apr-2014 09:41:28.311 ;; fetch 0x11075a1b0 (fctx 0x1115e9000(./DNSKEY)): created 09-Apr-2014 09:41:28.311 ;; fctx 0x1115e9000(./DNSKEY): start 09-Apr-2014 09:41:28.311 ;; fctx 0x1115e9000(./DNSKEY): try 09-Apr-2014 09:41:28.311 ;; fctx 0x1115e9000(./DNSKEY): cancelqueries 09-Apr-2014 09:41:28.311 ;; fctx 0x1115e9000(./DNSKEY): getaddresses 09-Apr-2014 09:41:28.311 ;; fctx 0x1115e9000(./DNSKEY): query 09-Apr-2014 09:41:28.311 ;; resquery 0x1115ef000 (fctx 0x1115e9000(./DNSKEY)): send 09-Apr-2014 09:41:28.311 ;; resquery 0x1115ef000 (fctx 0x1115e9000(./DNSKEY)): sent 09-Apr-2014 09:41:28.311 ;; resquery 0x1115ef000 (fctx 0x1115e9000(./DNSKEY)): senddone 09-Apr-2014 09:41:28.312 ;; resquery 0x1115ef000 (fctx 0x1115e9000(./DNSKEY)): response 09-Apr-2014 09:41:28.312 ;; received packet: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62200 ;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; SIT: 2d8cf3496b58375cd01f4d7f5344892884b20fcd0bb5cd1e ;; QUESTION SECTION: ;. IN DNSKEY ;; ANSWER SECTION: ;. 91894 IN DNSKEY 256 3 8 ( ; AwEAAb8sU6pbYMWRbkRnEuEZw9NS ; ir707TkOcF+UL1XiK4NDJOvXRyX1 ; 95Am5dQ7bRnnuySZ3daf37vvjUUh ; uIWUAQ4stht8nJfYxVQXDYjSpGH5 ; I6Hf/0CZEoNP6cNvrQ7AFmKkmv00 ; xWExKQjbvnRPI4bqpMwtHVzn6Wyb ; BZ6kuqED ; ) ; ZSK; alg = RSASHA256; key id = 33655 ;. 91894 IN DNSKEY 257 3 8 ( ; AwEAAagAIKlVZrpC6Ia7gEzahOR+ ; 9W29euxhJhVVLOyQbSEW0O8gcCjF ; FVQUTf6v58fLjwBd0YI0EzrAcQqB ; GCzh/RStIoO8g0NfnfL2MTJRkxoX ; bfDaUeVPQuYEhg37NZWAJQ9VnMVD ; xP/VHL496M/QZxkjf5/Efucp2gaD ; X6RS6CXpoY68LsvPVjR0ZSwzz1ap ; AzvN9dlzEheX7ICJBBtuA6G3LQpz ; W5hOA2hzCTMjJPJ8LbqF6dsV6DoB ; Qzgul0sGIcGOYl7OyQdXfZ57relS ; Qageu+ipAdTTJ25AsRTAoub8ONGc ; LmqrAmRLKBP1dfwhYB4N7knNnulq ; QxA+Uk1ihz0= ; ) ; KSK; alg = RSASHA256; key id = 19036 ;. 91894 IN DNSKEY 256 3 8 ( ; AwEAAZvJd8ORk+jmZ41QMYbQ1XCp ; f60l6YJuHtnxn0VSh5a5vqwEjTST ; 3/PZ4xhUFu2YcTfRNWxs9WTiGZl3 ; MY/UlBIvzpLhKgKnf9Vk8sEU3q0n ; mOGFgE6jTi/cU95ATU/2dTQovMDv ; 9XyWvrmj8KIG2brj6mF4S8GTae6G ; 2GwbMF5v ; ) ; ZSK; alg = RSASHA256; key id = 40926 ;. 91894 IN RRSIG DNSKEY 8 0 172800 ( ; 20140415235959 20140401000000 19036 . ; PttXGhd/RiRQDhz9002k/gYVU2c2 ; +YjuW+xv2jczlIuLacXET3ZExT3X ; kZCTtXiveS+vJtYQPVPCUXZcYb+4 ; VjovysRQ1BedFYrRC/n9scSgm1UO ; zxDXRKk7tvBgHiyTwONNvogw/SBJ ; YJ/z9n5cpCY2taEvy5aL2h+vrnwH ; 7WvVT8NR4VJ/ZKJ4GdSxyrEiESm2 ; +d1dUuKOd/XeZbF15XMdDPBH8Ghx ; eZY5ISbZfDSV3vISQIA1B/VF9Dq/ ; 6dxoyMbdPhcpvly3QfzN6brVla2o ; 3FLAcDMyFmSvEcSOgtMntSm0usIs ; Z7eQiQOfejohFSbFFNcivXXwIlXF ; qgJXLA== ) 09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): answer_response 09-Apr-2014 09:41:28.312 ;; log_ns_ttl: fctx 0x1115e9000: answer_response: . (in '.'?): 0 0 09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): cache_message 09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): cancelquery 09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): wait for validator 09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): cancelqueries 09-Apr-2014 09:41:28.312 ;; validating ./DNSKEY: starting 09-Apr-2014 09:41:28.312 ;; validating ./DNSKEY: attempting positive response validation 09-Apr-2014 09:41:28.312 ;; validating ./DNSKEY: verify rdataset (keyid=19036): success 09-Apr-2014 09:41:28.312 ;; validating ./DNSKEY: signed by trusted key; marking as secure 09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): received validation completion event 09-Apr-2014 09:41:28.312 ;; validator @0x7f818409a000: dns_validator_destroy 09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): validation OK 09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): clone_results 09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): done 09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): stopeverything 09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): cancelqueries 09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): sendevents 09-Apr-2014 09:41:28.312 ;; validating org/DS: in fetch_callback_validator 09-Apr-2014 09:41:28.312 ;; validating org/DS: keyset with trust secure 09-Apr-2014 09:41:28.312 ;; validating org/DS: resuming validate 09-Apr-2014 09:41:28.312 ;; validating org/DS: verify rdataset (keyid=40926): success 09-Apr-2014 09:41:28.312 ;; validating org/DS: marking as secure, noqname proof not needed 09-Apr-2014 09:41:28.312 ;; fetch 0x11075a1b0 (fctx 0x1115e9000(./DNSKEY)): destroyfetch 09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): shutdown 09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): received validation completion event 09-Apr-2014 09:41:28.312 ;; validator @0x7f8186000000: dns_validator_destroy 09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): validation OK 09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): clone_results 09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): done 09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): stopeverything 09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): cancelqueries 09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): sendevents 09-Apr-2014 09:41:28.312 ;; validating org/DNSKEY: in dsfetched 09-Apr-2014 09:41:28.312 ;; validating org/DNSKEY: dsset with trust secure 09-Apr-2014 09:41:28.312 ;; validating org/DNSKEY: verify rdataset (keyid=21366): success 09-Apr-2014 09:41:28.312 ;; validating org/DNSKEY: marking as secure (DS) 09-Apr-2014 09:41:28.312 ;; fetch 0x11075a198 (fctx 0x1115a9430(org/DS)): destroyfetch 09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): shutdown 09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9000(org/DNSKEY): received validation completion event 09-Apr-2014 09:41:28.312 ;; validator @0x7f8185800000: dns_validator_destroy 09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9000(org/DNSKEY): validation OK 09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9000(org/DNSKEY): clone_results 09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9000(org/DNSKEY): done 09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9000(org/DNSKEY): stopeverything 09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9000(org/DNSKEY): cancelqueries 09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9000(org/DNSKEY): sendevents 09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): doshutdown 09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): stopeverything 09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): cancelqueries 09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): unlink 09-Apr-2014 09:41:28.312 ;; fctx 0x1115a9430(org/DS): destroy 09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): doshutdown 09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): stopeverything 09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): cancelqueries 09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): unlink 09-Apr-2014 09:41:28.312 ;; fctx 0x1115e9000(./DNSKEY): destroy 09-Apr-2014 09:41:28.312 ;; validating isc.org/DS: in fetch_callback_validator 09-Apr-2014 09:41:28.312 ;; validating isc.org/DS: keyset with trust secure 09-Apr-2014 09:41:28.312 ;; validating isc.org/DS: resuming validate 09-Apr-2014 09:41:28.313 ;; validating isc.org/DS: verify rdataset (keyid=28794): success 09-Apr-2014 09:41:28.313 ;; validating isc.org/DS: marking as secure, noqname proof not needed 09-Apr-2014 09:41:28.313 ;; fetch 0x11075a180 (fctx 0x1115a9000(org/DNSKEY)): destroyfetch 09-Apr-2014 09:41:28.313 ;; fctx 0x1115a9000(org/DNSKEY): shutdown 09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): received validation completion event 09-Apr-2014 09:41:28.313 ;; validator @0x7f8185000000: dns_validator_destroy 09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): validation OK 09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): clone_results 09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): done 09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): stopeverything 09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): cancelqueries 09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): sendevents 09-Apr-2014 09:41:28.313 ;; validating isc.org/DNSKEY: in dsfetched 09-Apr-2014 09:41:28.313 ;; validating isc.org/DNSKEY: dsset with trust secure 09-Apr-2014 09:41:28.313 ;; validating isc.org/DNSKEY: verify rdataset (keyid=12892): success 09-Apr-2014 09:41:28.313 ;; validating isc.org/DNSKEY: marking as secure (DS) 09-Apr-2014 09:41:28.313 ;; fetch 0x11075a168 (fctx 0x111569430(isc.org/DS)): destroyfetch 09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): shutdown 09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): received validation completion event 09-Apr-2014 09:41:28.313 ;; validator @0x7f818399fc00: dns_validator_destroy 09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): validation OK 09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): clone_results 09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): done 09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): stopeverything 09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): cancelqueries 09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): sendevents 09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): doshutdown 09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): stopeverything 09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): cancelqueries 09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): unlink 09-Apr-2014 09:41:28.313 ;; fctx 0x111569430(isc.org/DS): destroy 09-Apr-2014 09:41:28.313 ;; fctx 0x1115a9000(org/DNSKEY): doshutdown 09-Apr-2014 09:41:28.313 ;; fctx 0x1115a9000(org/DNSKEY): stopeverything 09-Apr-2014 09:41:28.313 ;; fctx 0x1115a9000(org/DNSKEY): cancelqueries 09-Apr-2014 09:41:28.313 ;; fctx 0x1115a9000(org/DNSKEY): unlink 09-Apr-2014 09:41:28.313 ;; fctx 0x1115a9000(org/DNSKEY): destroy 09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/DS: in fetch_callback_validator 09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/DS: keyset with trust secure 09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/DS: resuming validate 09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/DS: verify rdataset (keyid=4521): success 09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/DS: marking as secure, noqname proof not needed 09-Apr-2014 09:41:28.313 ;; fetch 0x11075a150 (fctx 0x111569000(isc.org/DNSKEY)): destroyfetch 09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): shutdown 09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): received validation completion event 09-Apr-2014 09:41:28.313 ;; validator @0x7f8184021800: dns_validator_destroy 09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): validation OK 09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): clone_results 09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): done 09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): stopeverything 09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): cancelqueries 09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): sendevents 09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/DNSKEY: in dsfetched 09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/DNSKEY: dsset with trust secure 09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/DNSKEY: verify rdataset (keyid=10288): success 09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/DNSKEY: marking as secure (DS) 09-Apr-2014 09:41:28.313 ;; fetch 0x11075a138 (fctx 0x111529860(Dv.isc.org/DS)): destroyfetch 09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): shutdown 09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): received validation completion event 09-Apr-2014 09:41:28.313 ;; validator @0x7f818399ee00: dns_validator_destroy 09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): validation OK 09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): clone_results 09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): done 09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): stopeverything 09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): cancelqueries 09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): sendevents 09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): doshutdown 09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): stopeverything 09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): cancelqueries 09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): unlink 09-Apr-2014 09:41:28.313 ;; fctx 0x111529860(Dv.isc.org/DS): destroy 09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): doshutdown 09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): stopeverything 09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): cancelqueries 09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): unlink 09-Apr-2014 09:41:28.313 ;; fctx 0x111569000(isc.org/DNSKEY): destroy 09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/SOA: in fetch_callback_validator 09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/SOA: keyset with trust secure 09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/SOA: resuming validate 09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/SOA: verify rdataset (keyid=14436): success 09-Apr-2014 09:41:28.313 ;; validating Dv.isc.org/SOA: marking as secure, noqname proof not needed 09-Apr-2014 09:41:28.313 ;; fetch 0x11075a120 (fctx 0x111529430(dv.isc.org/DNSKEY)): destroyfetch 09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): shutdown 09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): received validation completion event 09-Apr-2014 09:41:28.313 ;; validator @0x7f8184020a00: dns_validator_destroy 09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): validation OK 09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): clone_results 09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): done 09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): stopeverything 09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): cancelqueries 09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): sendevents 09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): doshutdown 09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): stopeverything 09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): cancelqueries 09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): unlink 09-Apr-2014 09:41:28.313 ;; fctx 0x111529430(dv.isc.org/DNSKEY): destroy 09-Apr-2014 09:41:28.313 ;; fetch 0x11075a0a8 (fctx 0x111529000(dv.isc.org/SOA)): destroyfetch 09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): shutdown 09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): doshutdown 09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): stopeverything 09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): cancelqueries 09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): unlink 09-Apr-2014 09:41:28.313 ;; fctx 0x111529000(dv.isc.org/SOA): destroy 09-Apr-2014 09:41:28.313 ;; res 0x11076f000: shutdown 09-Apr-2014 09:41:28.313 ;; res 0x11076f000: exiting 09-Apr-2014 09:41:28.320 ;; dns_requestmgr_shutdown: 0x110774000 09-Apr-2014 09:41:28.320 ;; send_shutdown_events: 0x110774000 09-Apr-2014 09:41:28.320 ;; res 0x11076f000: detach 09-Apr-2014 09:41:28.321 ;; res 0x11076f000: destroy 09-Apr-2014 09:41:28.321 ;; dns_requestmgr_detach: 0x110774000: eref 0 iref 0 09-Apr-2014 09:41:28.321 ;; mgr_destroy 09-Apr-2014 09:41:28.321 ;; calling free_rbtdb(.) 09-Apr-2014 09:41:28.321 ;; done free_rbtdb(.) ; fully validated dv.isc.org. 3532 IN SOA bsdi.dv.isc.org. marka.isc.org. 2007111528 86400 21600 2419200 86400 dv.isc.org. 3532 IN RRSIG SOA 5 3 3600 20140606234902 20140407224902 14436 dv.isc.org. i8fBym000/fiC3XrQ1B0spgppClOyQfdQiPq3p2228bSYR86NzxOqpUL 2YBya9120KctdiLBOpeUEIf285TzxA== > The intersection of the position Wes takes and mine is some sort > of 'assured' AD bit, which I am not opposed to in principle, provided > this is in fact a reasonable plan of action. > > So for example, extending libresolv to match long-established BSD > semantics to improve thread safety and provide more application > control would suffice, res_ninit(), res_setservers(), ... plus > ideally the ability to set the "AD" bit in the request (rather than > "DO", reducing the quantity of unnecessary bloat in the reply). > > That way applications that want a local resolver can be configured > to use one, and can make appropriate fallback decisions if one is > not available. > > As for *censoring* the AD bit, that approach is likely more > problematic and I think is where Paul Wouters and Petr part ways... > > So please make it possible in all the various DNS APIs (that don't > already do this) for the stub resolver to override the default > nameserver list (static or insecurely obtained from DHCP). Give > the stub resolver more control over the "AD" and "DO" bits, and > think long and hard about whether censoring is a viable approach > it may well be a bad idea. > > -- > Viktor. > > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [dane] AD bit handling in stub-resolvers: conclus… Petr Spacek
- Re: [dane] AD bit handling in stub-resolvers: con… Wes Hardaker
- Re: [dane] AD bit handling in stub-resolvers: con… Viktor Dukhovni
- Re: [dane] AD bit handling in stub-resolvers: con… Mark Andrews
- Re: [dane] AD bit handling in stub-resolvers: con… Nico Williams
- Re: [dane] AD bit handling in stub-resolvers: con… Nico Williams
- Re: [dane] AD bit handling in stub-resolvers: con… Paul Wouters
- Re: [dane] AD bit handling in stub-resolvers: con… Paul Wouters