Re: Unable to get authenticated negative responses from BIND 9.6.0 w/ NSEC3?

Mon, 12 Jan 2009 14:51:20 -0800 

In message <a0e00a9b-89cc-4b94-a3a5-49fd22fe3...@johani.org>, Johan Ihren 
writes:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I realise this just has to be a user error, but sofar I've been  
> completely unsuccessful in getting an authenticated response from a  
> 9.6.0 recursive server with trusted keys correctly configured.
> 
> I've done this:
> 
> * Signed the zones:
> 
> "parent" is signed with NSEC semantics, key algorithm is RSASHA1
> "child1.parent" is signed with NSEC, key algorithm is RSASHA1
> "child2.parent" is signed with NSEC3, key algorithm is NSEC3RSASHA1

        Did you tell dnssec-signzone to generate NSEC3 chains rather
        than NSEC chains.  NSEC3RSASHA1 allows for both NSEC and
        NSEC3 chains and dnssec-signzone defaults to NSEC chains.

        dnssec-signzone -3 salt [-H iterations] [-A] ....

> * Created the secure delegations:
> 
> the DS records for child1.parent and child2.parent both use the  
> correct algorithm numbers (5 and 7 respectively)
> 
> * Configured a trusted key for "parent" in a recursive server:
> 
> The trusted key is correctly configured, because I'm able to validate  
> positive responses from all three zones (which also proves that the  
> delegations are correctly secured via the DS records). I'm also able  
> to validate negative responses from "parent" and "child1.parent".
> 
> And, yes, I have "dnssec-enable yes; dnssec-validation yes;" in  
> relevant places.
> 
> But I fail to validate the interesting case, i.e. a negative response  
> from child2.parent containing NSEC3 records as the proof. I get the  
> response, with all the NSEC3s and their RRSIGs. But no AD bit.
> 
> Anyone done this recently who can give me a suggestion to where I may  
> go wrong?
> 
> Johan
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (Darwin)
> 
> iD8DBQFJZy3KKJmr+nqSTbYRAgR9AKCioFf7n+IZmKfH0qenvlZnnh6FpQCeLl0e
> w3pw5x1lyPwkJnM3iRGjiP4=
> =tnBX
> -----END PGP SIGNATURE-----
> _______________________________________________
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: mark_andr...@isc.org
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to