Re: Problem with DNSSEC signing zone

Fri, 20 Jul 2012 03:29:49 -0700 

Hello Thierry SAMEN,

On Fri, 20 Jul 2012, William Thierry SAMEN wrote:


Hi all Bind users,
i just have a problem with my zone signing output i made all the steps to 
obtain a good result.
 1.  Generated KSK and ZSK
 2. Add both of keys at the end of my zone file
 3. signing my zone with dnssec-signzone command
 4. enable dnssec in named options
 5. change the name of my zone in the named by namezone.signed
 6. I got the root DNSKEY RR set before with dig command and redirect the 
outpout in root-dnskey file
 7. I turned the DNSKEY into DS RR set also, with dnssec-dsfromkey command.
Did you send the DS RR to the operator of the parent zone, and did you wait for the DS record to appear in the parent zone?
To see an AD flag, you need to send the query towards a caching DNSSEC validating server that is _not_ the same server that is hosting the zone (see <http://strotmann.de/roller/dnsworkshop/entry/dns_name_resolution_design_for> ).
The chain of trust from the trust-anchor of the caching validating DNS server until the signatures in the zone must be complete, including the DS record for your zone which must be hosted in the parent zone (co.uk.).
Please also make sure that the serial number in the SOA record on the authoritative server is the same number that you see in the signed zone file. Do not forget to increment the SOA serial before or during the signing process ( dnssec-signzone -N INCREMENT ... ).
I cannot test your domain from here, it seems the domain is not delegated (I'm seeing an NXDOMAIN from co.uk.). 

csmobile :: ~ » drill -k root.key -SD willzik.co.uk
;; Number of trusted keys: 1
;; Chasing: willzik.co.uk. A


DNSSEC Trust tree:
willzik.co.uk. (A)
|---Existence is denied by:
|---G9F1KIIHM8M9VHJK7LRVETBQCEOGJIQP.co.uk. (NSEC3)
|---Existence is denied by:
|---QLR2IB6LOCI8AIL6L2NH50RQV809BNEG.co.uk. (NSEC3)
|---Existence is denied by:
|---22SDTUJH764RHEGKI5GU51QAU3T7947V.co.uk. (NSEC3)
No trusted keys found in tree: first error was: No DNSSEC public key(s)
;; Chase failed.
(the negative answer here is not DNSSEC validated, but that is another issue). 

Best regards

Carsten Strotmann

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to