Skip to content

Insecurity proof failed resolving 'a.b.keyless.example/A/IN' in dnssec test

dnssec:checking that validation fails when key record is missing using dns_client test failed on v9_16.

In delv.out71 broken trust chain was expected, but failed insecurity proof was found instead:

;; validating a.b.keyless.example/A: no valid signature found
;; insecurity proof failed resolving 'a.b.keyless.example/A/IN': 10.53.0.4#5000
;; resolution failed: insecurity proof failed

ns4/named.run:

10-May-2022 09:45:22.249 validating a.b.keyless.example/DS: validate_neg_rrset: creating validator for a.b.keyless.example NSEC
10-May-2022 09:45:22.249   validating a.b.keyless.example/NSEC: starting
10-May-2022 09:45:22.249   validating a.b.keyless.example/NSEC: attempting positive response validation
10-May-2022 09:45:22.249   validating a.b.keyless.example/NSEC: keyset with trust secure
10-May-2022 09:45:22.249   validating a.b.keyless.example/NSEC: verify rdataset (keyid=40810): success
10-May-2022 09:45:22.249   validating a.b.keyless.example/NSEC: marking as secure, noqname proof not needed
10-May-2022 09:45:22.249   validator @0x61d0001f4a90: dns_validator_destroy

This is how it looks like when the test passes:

delv.out71:

;; validating a.b.keyless.example/A: no valid signature found
;;   validating a.b.keyless.example/NSEC: no valid signature found
;; no valid RRSIG resolving 'a.b.keyless.example/DS/IN': 10.53.0.4#5300
;; broken trust chain resolving 'a.b.keyless.example/A/IN': 10.53.0.4#5300
;; resolution failed: broken trust chain

ns4/named.run:

10-May-2022 16:54:57.976 validating a.b.keyless.example/DS: validate_neg_rrset: creating validator for a.b.keyless.example NSEC
10-May-2022 16:54:57.976   validating a.b.keyless.example/NSEC: starting
10-May-2022 16:54:57.976   validating a.b.keyless.example/NSEC: attempting positive response validation
10-May-2022 16:54:57.976   validating a.b.keyless.example/NSEC: no valid signature found
10-May-2022 16:54:57.976   validating a.b.keyless.example/NSEC: falling back to insecurity proof
10-May-2022 16:54:57.976   validating a.b.keyless.example/NSEC: checking existence of DS at 'example'
10-May-2022 16:54:57.976   validating a.b.keyless.example/NSEC: checking existence of DS at 'keyless.example'
10-May-2022 16:54:57.976   validating a.b.keyless.example/NSEC: checking existence of DS at 'b.keyless.example'
10-May-2022 16:54:57.976   validating a.b.keyless.example/NSEC: checking existence of DS at 'a.b.keyless.example'
10-May-2022 16:54:57.976   validating a.b.keyless.example/NSEC: continuing validation would lead to deadlock: aborting validation
10-May-2022 16:54:57.976   validating a.b.keyless.example/NSEC: deadlock found (create_fetch)
10-May-2022 16:54:57.976   validator @0x7fbff0026ae0: dns_validator_destroy
10-May-2022 16:54:57.976 validating a.b.keyless.example/DS: in validator_callback_nsec
10-May-2022 16:54:57.976 validating a.b.keyless.example/DS: validator_callback_nsec: got no valid RRSIG
10-May-2022 16:54:57.976 validating a.b.keyless.example/DS: resuming validate_nx
10-May-2022 16:54:57.976 validating a.b.keyless.example/DS: nonexistence proof(s) not found
10-May-2022 16:54:57.976 validating a.b.keyless.example/DS: checking existence of DS at 'example'
10-May-2022 16:54:57.976 validating a.b.keyless.example/DS: checking existence of DS at 'keyless.example'
10-May-2022 16:54:57.976 validating a.b.keyless.example/DS: checking existence of DS at 'b.keyless.example'
10-May-2022 16:54:57.976 validating a.b.keyless.example/DS: checking existence of DS at 'a.b.keyless.example'
10-May-2022 16:54:57.976 validating a.b.keyless.example/DS: continuing validation would lead to deadlock: aborting validation
10-May-2022 16:54:57.976 validating a.b.keyless.example/DS: deadlock found (create_fetch)
10-May-2022 16:54:57.976 validator @0x7fbff0024610: dns_validator_destroy
10-May-2022 16:54:57.976 no valid RRSIG resolving 'a.b.keyless.example/DS/IN': 10.53.0.3#5300
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information