FS#47033 - [bind-tools] dig is missing sigchase support
Attached to Project:
Arch Linux
Opened by Andreas Simon (asimon) - Wednesday, 11 November 2015, 08:58 GMT
Last edited by Sébastien Luttringer (seblu) - Monday, 16 November 2015, 01:26 GMT
Opened by Andreas Simon (asimon) - Wednesday, 11 November 2015, 08:58 GMT
Last edited by Sébastien Luttringer (seblu) - Monday, 16 November 2015, 01:26 GMT
|
Details
Description:
/usr/bin/dig from bind-tools 9.10.3-1 is not compiled with -DDIG_SIGCHASE. Thus this dig can't be used to validate DNSSEC key chains. Quote from the manual page: +[no]sigchase Chase DNSSEC signature chains. Requires dig be compiled with -DDIG_SIGCHASE. How to reproduce: $ dig +sigchase Invalid option: +sigchase If dig is compiled with sigchase support the output would be $ dig +sigchase No trusted keys present Sigchase support is required to check DNSSEC zones, e.g. something like $ dig . DNSKEY | grep -Ev '^($|;)' > root.keys $ dig +sigchase +trusted-key=./root.keys www.denic.de. A ... [Skip a lot of output] ... ; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS Debian, Fedora, and probably all other major distros compile dig with DDIG_SIGCHASE. I think there is no reason not to. Thanks. |
This task depends upon
Closed by Sébastien Luttringer (seblu)
Monday, 16 November 2015, 01:26 GMT
Reason for closing: Implemented
Additional comments about closing: bind 9.10.3-2
Monday, 16 November 2015, 01:26 GMT
Reason for closing: Implemented
Additional comments about closing: bind 9.10.3-2