Le vendredi 25 mars 2011 à 08:24 +1100, Mark Andrews a écrit : > In message <1300993213.12273.96.camel@localhost.localdomain>, "fakessh @" > write > s: > > hi bind //guru/ > > hi isc guru > > hi mark andrews > > hi michel graff > > There are no DLV records for fakessh.eu. See below. > > There are no DS records for fakessh.eu. See below. >
necessarily because I can not validate the key through via isc dlv > Two of the nameservers for your zone are not DNSSEC enabled. They > do NOT return RRSIG records when asked for the DNSKEY records with > DO=1. See below. > > You need to address these issues. > > Mark > > % dig fakessh.eu.dlv.isc.org dlv > > ; <<>> DiG 9.6.0-APPLE-P2 <<>> fakessh.eu.dlv.isc.org dlv > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21760 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;fakessh.eu.dlv.isc.org. IN DLV > > ;; AUTHORITY SECTION: > dlv.isc.org. 2793 IN SOA ns-int.isc.org. > hostmaster.isc.org. 2011032404 7200 3600 2419200 3600 > > ;; Query time: 3 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Fri Mar 25 08:10:56 2011 > ;; MSG SIZE rcvd: 94 > > % dig ds fakessh.eu > > ; <<>> DiG 9.6.0-APPLE-P2 <<>> ds fakessh.eu > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20600 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;fakessh.eu. IN DS > > ;; AUTHORITY SECTION: > eu. 600 IN SOA a.nic.eu. tech.eurid.eu. > 1003425849 3600 1800 3600000 600 > > ;; Query time: 930 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Fri Mar 25 08:13:44 2011 > ;; MSG SIZE rcvd: 81 > > % dig +dnssec dnskey fakessh.eu @ns0.xname.org > > ; <<>> DiG 9.6.0-APPLE-P2 <<>> +dnssec dnskey fakessh.eu @ns0.xname.org > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11804 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 6 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;fakessh.eu. IN DNSKEY > > ;; ANSWER SECTION: > fakessh.eu. 38400 IN DNSKEY 256 3 5 > AwEAAeFYV9JtqoHqpU8vpl+wMFOQjt77N5XgUcove5Apmjwqsx/awcbN > Q2+H3hqeJ9f8NRSDUamSLFmvuUJTbDLDxpw9AlNjZNXQysxaQ//lNXKR > P2nfrbqMvNnerzdPQ1eF2RqMf5XuOFv6+4UFz/rykszQcK6kH4qIWQ89 > Ibk4eXc249MP31vUlgf3tiHyWyqQtD2JJpHY3HwDOYHhKR0Rilk= > fakessh.eu. 38400 IN DNSKEY 257 3 5 > AwEAAbj75OmR1A8gs1lda3OYTKaY+dy4jVBmflEk/c8g/JDw6UvAqWMz > 9KtNIZvGt9E8JMSfaH6VZLY0mWFfCkn7o38= > > ;; AUTHORITY SECTION: > fakessh.eu. 38400 IN NS r13151.ovh.net. > fakessh.eu. 38400 IN NS ns0.xname.org. > fakessh.eu. 38400 IN NS ns1.xname.org. > fakessh.eu. 38400 IN NS ns1.novacrea.fr. > fakessh.eu. 38400 IN NS ns2.xname.org. > > ;; ADDITIONAL SECTION: > ns0.xname.org. 600 IN A 195.234.42.1 > ns1.xname.org. 600 IN A 87.98.164.164 > ns1.novacrea.fr. 55352 IN A 94.23.59.30 > ns2.xname.org. 600 IN A 88.191.64.64 > ns2.xname.org. 600 IN AAAA > 2a01:e0b:1:64:240:63ff:fee8:6155 > > ;; Query time: 391 msec > ;; SERVER: 195.234.42.1#53(195.234.42.1) > ;; WHEN: Fri Mar 25 08:19:34 2011 > ;; MSG SIZE rcvd: 515 > > % > > > despite my efforts to validate isc dlv. I'm always at the same point I > > can not validate the keys. error below the script isc > > > > SUCCESS 94.23.59.30 answered DNSKEY query with rcode NOERROR > > 3.345:SUCCESS 87.98.186.232 answered DNSKEY query with rcode NOERROR > > 3.345:SUCCESS 87.98.164.164 answered DNSKEY query with rcode NOERROR > > 3.345:INFO Total answers: 3 > > 3.346:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.186.232 > > 3.347:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.164.164 > > 3.347:SUCCESS All DNSKEY responses are identical. > > 3.353:DEBUG VERIFY-DNSKEY: Checking tag=3D41931 flags=3D256 alg=3DRSASHA1 > > AwEAAbjq...Na0iXShQfc=3D > > 3.353:DEBUG VERIFY-DNSKEY: Ignoring key. > > 3.353:DEBUG VERIFY-DNSKEY: Checking tag=3D27979 flags=3D257 alg=3DRSASHA1 > > AwEAAcNa...y1khCE+CdE=3D > > 3.353:DEBUG VERIFY-DNSKEY: Ignoring key. > > 3.353:INFO VERIFY-DNSKEY: 2 DNSKEYs found. > > 3.353:INFO VERIFY-DNSKEY: 0 keys found after filtering. > > 3.353:DEBUG VERIFY-DNSKEY: Using keys: > > 3.353:DEBUG VERIFY-DNSKEY: To verify rrset type DNSKEY > > 3.353:FAILURE VERIFY-DNSKEY: No keys found after filtering. > > 3.353:FAILURE DNSKEY signature did not validate. > > 3.353:FINAL_FAILURE FAILURE > > > > > > --=20 > > gpg --keyserver pgp.mit.edu --recv-key 092164A7 > > http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0x092164A7 > > > > --=-z4QlW2bZGkH+0Mp+jCTf > > Content-Type: application/pgp-signature; name=signature.asc > > Content-Description: Ceci est une partie de message > > =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?= > > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.5 (GNU/Linux) > > > > iD8DBQBNi5S9tXI/OwkhZKcRApwbAJ0U1bwNJxcqaQio8bGVIuAQkomMqgCfVbUn > > uZ2ojYfEyGYxmZu/F2xOJn8= > > =/8X8 > > -----END PGP SIGNATURE----- > > > > --=-z4QlW2bZGkH+0Mp+jCTf-- > > > > > > --===============2440758171990924561== > > Content-Type: text/plain; charset="us-ascii" > > MIME-Version: 1.0 > > Content-Transfer-Encoding: 7bit > > Content-Disposition: inline > > > > _______________________________________________ > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > --===============2440758171990924561==-- > > -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
signature.asc
Description: Ceci est une partie de message numériquement signée
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users