> On 16 May 2021, at 10:17, Dan Egli via bind-users <bind-users@lists.isc.org> > wrote: > > On 5/10/2021 12:38 PM, Tony Finch wrote: >> Dan Egli <d...@newideatest.site> >> wrote: >> >>> Still not working for me. The dig doesn't report anything, and I don't HAVE >>> a >>> keyfile since i'm using inline signing. Or does inline signing still >>> require a >>> key to be generated? >>> >> Yes, you need to do your own key management with inline-signing using >> dnssec-keygen. The new dnssec-policy feature can do automatic key >> management for you. >> >> Tony. >> > > So, I updated the settings. Now I have keyfiles generated by bind, as well as > a binary .zone.signed in addition to the plain text .zone which has no DNSSEC > information at all in it. I ran the signing routine and bind said it was > signed good. So I obtained the DS and put in the registrar. Now I am getting > SERVFAIL errors whenever I try to query my zone from another name server. > Here's what I did: > > #dig newideatest.site dnskey | dnssec-dsfromkey -2 -f - newideatest.site > newideatest.site. IN DS 49236 13 2 <LONG HASH> > > Ok. Copy the long hash to the Registrar, plug it in. Check, done that. > > # dig mx newideatest.site @8.8.4.4 > > ; <<>> DiG 9.16.15 <<>> mx newideatest.site @8.8.4.4 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 631 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 512 > ;; QUESTION SECTION: > ;newideatest.site. IN MX > > ;; Query time: 50 msec > ;; SERVER: 8.8.4.4#53(8.8.4.4) > ;; WHEN: Sat May 15 18:12:44 MDT 2021 > ;; MSG SIZE rcvd: 45 > ServFail?! WHAT?
This is a known bug fixed in BIND 9.11.25. Upgrade. Once the DS is added to .site for newideatest.site the resolution will work. > So I go to DNSVIZ and run their test. > Errors (9) > > • newideatest.site/A: No RRSIG covering the RRset was returned in the > response. (31.220.30.73, 45.77.29.133, 103.6.87.125, 119.252.20.56, > 2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5, 2403:2500:4000::f3e, > 2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN) > • newideatest.site/AAAA: No RRSIG covering the RRset was returned in > the response. (31.220.30.73, 45.77.29.133, 103.6.87.125, > 119.252.20.56, 2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5, > 2403:2500:4000::f3e, 2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN) > • newideatest.site/DNSKEY (alg 13, id 49236): No RRSIG covering the > RRset was returned in the response. (31.220.30.73, 45.77.29.133, > 103.6.87.125, 119.252.20.56, 2001:19f0:7001:381::3, > 2401:1400:1:1201:0:1:7853:1a5, 2403:2500:4000::f3e, 2a04:bdc7:100:1b::3, > UDP_-_EDNS0_4096_D_KN, UDP_-_EDNS0_512_D_KN) > • newideatest.site/MX: No RRSIG covering the RRset was returned in the > response. (31.220.30.73, 45.77.29.133, 103.6.87.125, 119.252.20.56, > 2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5, 2403:2500:4000::f3e, > 2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN, UDP_-_EDNS0_512_D_KN) > • newideatest.site/NS: No RRSIG covering the RRset was returned in the > response. (31.220.30.73, 45.77.29.133, 103.6.87.125, 119.252.20.56, > 2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5, 2403:2500:4000::f3e, > 2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN) > • newideatest.site/SOA: No RRSIG covering the RRset was returned in the > response. (31.220.30.73, 45.77.29.133, 103.6.87.125, 119.252.20.56, > 2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5, 2403:2500:4000::f3e, > 2a04:bdc7:100:1b::3, TCP_-_EDNS0_4096_D_N, UDP_-_EDNS0_4096_D_KN, > UDP_-_EDNS0_4096_D_KN_0x20) > • newideatest.site/TXT: No RRSIG covering the RRset was returned in the > response. (31.220.30.73, 45.77.29.133, 103.6.87.125, 119.252.20.56, > 2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5, 2403:2500:4000::f3e, > 2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN) > • site to newideatest.site: No valid RRSIGs made by a key corresponding > to a DS RR were found covering the DNSKEY RRset, resulting in no secure entry > point (SEP) into the zone. (31.220.30.73, 45.77.29.133, 103.6.87.125, > 119.252.20.56, 2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5, > 2403:2500:4000::f3e, 2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN, > UDP_-_EDNS0_512_D_KN) > • site to newideatest.site: The DS RRset for the zone included > algorithm 13 (ECDSAP256SHA256), but no DS RR matched a DNSKEY with algorithm > 13 that signs the zone's DNSKEY RRset. (31.220.30.73, 45.77.29.133, > 103.6.87.125, 119.252.20.56, 2001:19f0:7001:381::3, > 2401:1400:1:1201:0:1:7853:1a5, 2403:2500:4000::f3e, 2a04:bdc7:100:1b::3, > UDP_-_EDNS0_4096_D_KN, UDP_-_EDNS0_512_D_KN) > Warnings (13) > > • newideatest.site/A: The server responded with no OPT record, rather > than with RCODE FORMERR. (31.220.30.73, 45.77.29.133, 103.6.87.125, > 119.252.20.56, 2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5, > 2403:2500:4000::f3e, 2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN) > • newideatest.site/AAAA: The server responded with no OPT record, > rather than with RCODE FORMERR. (31.220.30.73, 45.77.29.133, 103.6.87.125, > 119.252.20.56, 2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5, > 2403:2500:4000::f3e, 2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN) > • newideatest.site/DNSKEY (alg 13, id 49236): The server responded with > no OPT record, rather than with RCODE FORMERR. (31.220.30.73, 45.77.29.133, > 103.6.87.125, 119.252.20.56, 2001:19f0:7001:381::3, > 2401:1400:1:1201:0:1:7853:1a5, 2403:2500:4000::f3e, 2a04:bdc7:100:1b::3, > UDP_-_EDNS0_4096_D_KN, UDP_-_EDNS0_512_D_KN) > • newideatest.site/MX: The server responded with no OPT record, rather > than with RCODE FORMERR. (31.220.30.73, 45.77.29.133, 103.6.87.125, > 119.252.20.56, 2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5, > 2403:2500:4000::f3e, 2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN, > UDP_-_EDNS0_512_D_KN) > • newideatest.site/NS: The server responded with no OPT record, rather > than with RCODE FORMERR. (31.220.30.73, 45.77.29.133, 103.6.87.125, > 119.252.20.56, 2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5, > 2403:2500:4000::f3e, 2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN) > • newideatest.site/SOA: The server responded with no OPT record, rather > than with RCODE FORMERR. (31.220.30.73, 45.77.29.133, > 103.6.87.125, 119.252.20.56, 2001:19f0:7001:381::3, > 2401:1400:1:1201:0:1:7853:1a5, 2403:2500:4000::f3e, 2a04:bdc7:100:1b::3, > TCP_-_EDNS0_4096_D_N, UDP_-_EDNS0_4096_D_KN, UDP_-_EDNS0_4096_D_KN_0x20) > • newideatest.site/TXT: The server responded with no OPT record, rather > than with RCODE FORMERR. (31.220.30.73, 45.77.29.133, > 103.6.87.125, 119.252.20.56, 2001:19f0:7001:381::3, > 2401:1400:1:1201:0:1:7853:1a5, 2403:2500:4000::f3e, 2a04:bdc7:100:1b::3, > UDP_-_EDNS0_4096_D_KN) > • site to newideatest.site: The following NS name(s) were found in the > authoritative NS RRset, but not in the delegation NS RRset (i.e., in the site > zone): jupiter.newideatest.site > • site to newideatest.site: The following NS name(s) were found in the > delegation NS RRset (i.e., in the site zone), but not in the authoritative NS > RRset: jupiter.eglifamily.name > • site/DS (alg 8, id 51676): DNSSEC specification prohibits signing > with DS records that use digest algorithm 1 (SHA-1). > • site/DS (alg 8, id 51676): DNSSEC specification prohibits signing > with DS records that use digest algorithm 1 (SHA-1). > • site/DS (alg 8, id 51676): DS records with digest type 1 (SHA-1) are > ignored when DS records with digest type 2 (SHA-256) exist in the same RRset. > • site/DS (alg 8, id 51676): DS records with digest type 1 (SHA-1) are > ignored when DS records with digest type 2 (SHA-256) exist in the same RRset. > So, what am I doing wrong? Here's the zone statement for the newideatest.site > zone in my named.conf: > > zone "newideatest.site" { > type master; > file "pri/newideatest.zone"; > allow-query { any; }; > allow-transfer { > 108.61.224.67; 116.203.6.3; 107.191.99.111; 185.22.172.112; > 103.6.87.125; 192.184.93.99; 119.252.20.56; 31.220.30.73; 185.34.136.178; > 185.136.176.247; 45.77.29.133; 116.203.0.64; 167.88.161.228; 199.195.249.208; > 104.244.78.122; 2605:6400:30:fd6e::3; 2605:6400:10:65::3; > 2605:6400:20:d5e::3; 2a01:4f8:1c0c:8122::3; 2001:19f0:7001:381::3; > 2a06:fdc0:fade:2f7::1; 2a00:dcc7:d3ff:88b2::1; 2a04:bdc7:100:1b::3; > 2401:1400:1:1201::1:7853:1a5; 2604:180:1:92a::3; 2403:2500:4000::f3e; > 2a00:1838:20:2::cd5e:68e9; 2604:180:2:4cf::3; > 2a01:4f8:1c0c:8115::3; 2001:19f0:6400:8642::3; > }; > allow-update { trusted; }; > key-directory "/var/bind/pri/keys"; > inline-signing yes; > dnssec-policy default; > }; > }; > Help? If you have errors reaching me, try d...@eglifamily.name, as it doesn't > seem to be having issues. > --Dan Egli > From my Test Server > > <OpenPGP_0x11B7451DF2015959.asc>_______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users