Using Drill to validate signatures

Written by Rick van Rein in category: General, Procedures, Security, Technical

WikiMedia CommonsHow can the Drill utility be used to ensure properly signed zones?

When a zone encounters a problem, it is helpful to dig around in DNS, possibly probing the authoritatives directly to bypass validating resolvers. This will yield information, but not actually check signatures.

The Drill utility is a replacement of Dig, and can actually chase a signature all the way to the root keys of DNSSEC. Assuming you have not got a local version of it and that security of this check is not the most important issue to you now, let’s see how to use Drill:

dig . dnskey > /tmp/rootkey
drill -k /tmp/rootkey -TD ip4afrika.nl SOA @ns1.surfnet.nl
echo $?

The first command retrieves the root key(s) without checking anything security-related. Although, if your resolvers are secure, you will not be bypassing that of course. The second command chases the signature chain of trust all the way to those root key(s) by querying the given name server directly, and the final line prints 0 if it went fine.

The lines printed out are prefixed with [T] for trusted information, [B] for bogus and [S] for self-signatures that are OK, but not trusted. Only if all lines are marked with [T] are you free of trouble.

Let’s include an example outcome of the command:


;; Number of trusted keys: 2
;; Domain: .
[T] . 172800 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), size = 2048b}
. 172800 IN DNSKEY 256 3 8 ;{id = 49656 (zsk), size = 1024b}
Checking if signing key is trusted:
New key: . 172800 IN DNSKEY 256 3 8 AwEAAc...qSHqf ;{id = 49656 (zsk), size = 1024b}
Trusted key: . 153073 IN DNSKEY 256 3 8 AwEAAc...qSHqf ;{id = 49656 (zsk), size = 1024b}
Key is now trusted!
Trusted key: . 153073 IN DNSKEY 257 3 8 AwEAAa...ihz0= ;{id = 19036 (ksk), size = 2048b}
Trusted key: . 172800 IN DNSKEY 257 3 8 AwEAAa...ihz0= ;{id = 19036 (ksk), size = 2048b}
Trusted key: . 172800 IN DNSKEY 256 3 8 AwEAAc...qSHqf ;{id = 49656 (zsk), size = 1024b}
Key is now trusted!
[T] nl. 86400 IN DS 21362 8 2 881d...de98
;; Domain: nl.
[T] nl. 7200 IN DNSKEY 257 3 8 ;{id = 21362 (ksk), size = 2048b}
nl. 7200 IN DNSKEY 256 3 8 ;{id = 11604 (zsk), size = 1024b}
Checking if signing key is trusted:
New key: nl. 7200 IN DNSKEY 256 3 8 AwEAAa...PuEx7 ;{id = 11604 (zsk), size = 1024b}
Trusted key: . 153073 IN DNSKEY 256 3 8 AwEAAc...qSHqf ;{id = 49656 (zsk), size = 1024b}
Trusted key: . 153073 IN DNSKEY 257 3 8 AwEAAa...ihz0= ;{id = 19036 (ksk), size = 2048b}
Trusted key: . 172800 IN DNSKEY 257 3 8 AwEAAa...ihz0= ;{id = 19036 (ksk), size = 2048b}
Trusted key: . 172800 IN DNSKEY 256 3 8 AwEAAc...qSHqf ;{id = 49656 (zsk), size = 1024b}
Trusted key: nl. 7200 IN DNSKEY 257 3 8 AwEAAb...r4b0= ;{id = 21362 (ksk), size = 2048b}
Trusted key: nl. 7200 IN DNSKEY 256 3 8 AwEAAa...PuEx7 ;{id = 11604 (zsk), size = 1024b}
Key is now trusted!
[T] ip4afrika.nl. 7200 IN DS 28891 8 2 f5e3...91bb
;; Domain: ip4afrika.nl.
[T] ip4afrika.nl. 3600 IN DNSKEY 257 3 8 ;{id = 28891 (ksk), size = 2048b}
ip4afrika.nl. 3600 IN DNSKEY 256 3 8 ;{id = 354 (zsk), size = 1024b}
ip4afrika.nl. 3600 IN DNSKEY 256 3 8 ;{id = 7948 (zsk), size = 1024b}
ip4afrika.nl. 3600 IN DNSKEY 256 3 8 ;{id = 8335 (zsk), size = 1024b}
[T] ip4afrika.nl. 3600 IN SOA ns1.surfnet.nl. hostmaster.surfnet.nl. 2013090202 20800 3600 604800 3600
;;[S] self sig OK; [B] bogus; [T] trusted

Respond

*