FS#47033 - [bind-tools] dig is missing sigchase support

Attached to Project: Arch Linux
Opened by Andreas Simon (asimon) - Wednesday, 11 November 2015, 08:58 GMT
Last edited by Sébastien Luttringer (seblu) - Monday, 16 November 2015, 01:26 GMT
Task Type Feature Request
Category Packages: Extra
Status Closed
Assigned To Sébastien Luttringer (seblu)
Architecture x86_64
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

/usr/bin/dig from bind-tools 9.10.3-1 is not compiled with -DDIG_SIGCHASE.

Thus this dig can't be used to validate DNSSEC key chains.

Quote from the manual page:
+[no]sigchase
Chase DNSSEC signature chains. Requires dig be compiled with -DDIG_SIGCHASE.


How to reproduce:

$ dig +sigchase
Invalid option: +sigchase

If dig is compiled with sigchase support the output would be
$ dig +sigchase
No trusted keys present

Sigchase support is required to check DNSSEC zones, e.g. something like
$ dig . DNSKEY | grep -Ev '^($|;)' > root.keys
$ dig +sigchase +trusted-key=./root.keys www.denic.de. A
...
[Skip a lot of output]
...
; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS

Debian, Fedora, and probably all other major distros compile dig with DDIG_SIGCHASE.
I think there is no reason not to. Thanks.

This task depends upon

Closed by  Sébastien Luttringer (seblu)
Monday, 16 November 2015, 01:26 GMT
Reason for closing:  Implemented
Additional comments about closing:  bind 9.10.3-2

Loading...