In message <a0e00a9b-89cc-4b94-a3a5-49fd22fe3...@johani.org>, Johan Ihren writes: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I realise this just has to be a user error, but sofar I've been > completely unsuccessful in getting an authenticated response from a > 9.6.0 recursive server with trusted keys correctly configured. > > I've done this: > > * Signed the zones: > > "parent" is signed with NSEC semantics, key algorithm is RSASHA1 > "child1.parent" is signed with NSEC, key algorithm is RSASHA1 > "child2.parent" is signed with NSEC3, key algorithm is NSEC3RSASHA1
Did you tell dnssec-signzone to generate NSEC3 chains rather than NSEC chains. NSEC3RSASHA1 allows for both NSEC and NSEC3 chains and dnssec-signzone defaults to NSEC chains. dnssec-signzone -3 salt [-H iterations] [-A] .... > * Created the secure delegations: > > the DS records for child1.parent and child2.parent both use the > correct algorithm numbers (5 and 7 respectively) > > * Configured a trusted key for "parent" in a recursive server: > > The trusted key is correctly configured, because I'm able to validate > positive responses from all three zones (which also proves that the > delegations are correctly secured via the DS records). I'm also able > to validate negative responses from "parent" and "child1.parent". > > And, yes, I have "dnssec-enable yes; dnssec-validation yes;" in > relevant places. > > But I fail to validate the interesting case, i.e. a negative response > from child2.parent containing NSEC3 records as the proof. I get the > response, with all the NSEC3s and their RRSIGs. But no AD bit. > > Anyone done this recently who can give me a suggestion to where I may > go wrong? > > Johan > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (Darwin) > > iD8DBQFJZy3KKJmr+nqSTbYRAgR9AKCioFf7n+IZmKfH0qenvlZnnh6FpQCeLl0e > w3pw5x1lyPwkJnM3iRGjiP4= > =tnBX > -----END PGP SIGNATURE----- > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users