Gary Lu's Personal Websiteglucn.com

How to fix delv on MacOS

Cover Image for How to fix delv on MacOS
Image generated by DALLE
Visit pacebits.com for my recent projects

Introduction

delv is a powerful debugging tool from ISC, the creator of Bind, which validates DNSSEC in a way that closely mimics what happens inside a DNS server. However, on MacOS, you might run into a specific error due to an outdated version of the tool.

The Problem

When I recently tried to debug a DNSSEC issue, I ran into a problem with delv. It worked fine on an EC2 instance running Linux, but it gave me the following error on my MacBook:

% delv glucn.com
;; none:29: no crypto support
delv: No trusted keys were loaded

This error occurs when there is no DNSKEY or DS properly configured as the trusted anchor (code link). It appears that this issue stems from the old version of delv (and the entire Bind suite) distributed with MacOS.

% delv -v
delv 9.10.6

% which delv
/usr/bin/delv

% dig -v
DiG 9.10.6

The Fix

Since we know it's an old version of delv, let's install the latest version to see if the problem can be fixed.

% brew install bind

...
==> Installing bind
==> Pouring bind--9.20.4.arm64_sequoia.bottle.tar.gz
==> Caveats
To start bind now and restart at startup:
  sudo brew services start bind
Or, if you don't want/need a background service you can just run:
  /opt/homebrew/opt/bind/sbin/named -f -L /opt/homebrew/var/log/named/named.log
==> Summary
🍺  /opt/homebrew/Cellar/bind/9.20.4: 314 files, 8.4MB
...

After installation, delv should point to the newly installed version (if not, you may need to reboot your MacBook):

% which delv
/opt/homebrew/bin/delv

% delv -v
delv 9.20.4

Now, you can use it to debug your DNSSEC issue:

 % delv glucn.com          
;; no valid RRSIG resolving 'com/DS/IN': 2001:569:7b93:5600:d635:1dff:fe56:342b#53
;; no valid RRSIG resolving 'com/DS/IN': 192.168.1.254#53
;; broken trust chain resolving 'glucn.com/A/IN': 192.168.1.254#53
;; resolution failed: broken trust chain

In my case, the problem was with my router at home. :D

Conclusion

By updating to the latest version of delv, you can resolve the "no crypto support" error on MacOS. This ensures that you have the necessary cryptographic support to debug DNSSEC issues effectively. If you encounter similar issues, consider checking for outdated software versions as a potential cause.

Older Post
How Did I Install CocoaPods On My MacBook

Discover how to efficiently install CocoaPods on your MacBook to streamline iOS app development. This guide explores two primary installation methods—RubyGems and Homebrew—highlighting their pros and cons to help you choose the best approach for managing Swift and Objective-C dependencies in your Xcode projects.