Hi,
On 08-02-2021 12:20, @lbutlr wrote:
I feel I am getting close. I got the digest generated for hover.com and updated
the DNS on the test zone, but I am getting errors on verify that I don't
understand.
#v+
# dnssec-verify -I text -o example.com /etc/namedb/working/example.com.signed
Loading zone 'example.com' from file '/etc/namedb/working/example.com.signed'
Verifying the zone using the following algorithms:
- ECDSAP256SHA256
Missing ZSK for algorithm ECDSAP256SHA256
Missing NSEC record for blog.example.com
Missing NSEC record for wiki.example.com
Missing NSEC record for foobar.example.com
Missing NSEC record for barfoo.example.com
The zone is not fully signed for the following algorithms:
vECDSAP256SHA256
.
DNSSEC completeness test failed.NSSEC completeness test failed.
#v-
The missing ZSK is throwing me, and I don't know what to add to my zone record
for NSEC. I am following along (trying) with
https://bind9.readthedocs.io/en/latest/dnssec-guide.html which makes no mention
of this, but shows NSEC showing up in the output of the signed file.
Use dnssec-verify -z to indicate that the ZSK may be the same key as the
KSK.
The missing NSEC records are more worrisome.
The only thing I can find that seems relevant (though it is for bind 9.7.3) is
part of the key generation, but I did not generate the keys manually, bind did
that with dnssec-policy default;
#v+
; This is the state of key 18434, for example.com.
Algorithm: 13
Length: 256
Lifetime: 0
KSK: yes
ZSK: yes
Generated: 20210202180145 (Tue Feb 2 11:01:45 2021)
Published: 20210202180145 (Tue Feb 2 11:01:45 2021)
Active: 20210202180145 (Tue Feb 2 11:01:45 2021)
PublishCDS: 20210203190645 (Wed Feb 3 12:06:45 2021)
DNSKEYChange: 20210202200645 (Tue Feb 2 13:06:45 2021)
ZRRSIGChange: 20210203190645 (Wed Feb 3 12:06:45 2021)
KRRSIGChange: 20210202200645 (Tue Feb 2 13:06:45 2021)
DSChange: 20210203190645 (Wed Feb 3 12:06:45 2021)
DNSKEYState: omnipresent
ZRRSIGState: omnipresent
KRRSIGState: omnipresent
DSState: rumoured
GoalState: omnipresent
#v-
So the state file says the ZSK is yes, but dnssec-verify says no.
I ran delv test and it looks as I expect based on he guide linked above.
#v+
# delv @127.0.0.1 -a /tmp/Kexample.com.+013+18434.key +root=example.com
example.com SOA +multiline
; fully validated
example.com. 3600 IN SOA ns1.example.net. admin.example.net. (
2018022422 ; serial
300 ; refresh (5 minutes)
300 ; retry (5 minutes)
18000 ; expire (5 hours)
3600 ; minimum (1 hour)
)
example.com. 3600 IN RRSIG SOA 13 2 3600 (
20210221095138 20210207085138 18434
example.com.
Qps8u4m6…=
#v-
Is there a way to force rndc/bind to recreate the .signed file? If I move it
aside and restart named or rndc reload or rndc reconfig, the signed zone file
is not recreated.
rndc sign zone
- Matthijs
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users