> On 16 May 2021, at 10:17, Dan Egli via bind-users <bind-users@lists.isc.org>
> wrote:
>
> On 5/10/2021 12:38 PM, Tony Finch wrote:
>> Dan Egli <d...@newideatest.site>
>> wrote:
>>
>>> Still not working for me. The dig doesn't report anything, and I don't HAVE
>>> a
>>> keyfile since i'm using inline signing. Or does inline signing still
>>> require a
>>> key to be generated?
>>>
>> Yes, you need to do your own key management with inline-signing using
>> dnssec-keygen. The new dnssec-policy feature can do automatic key
>> management for you.
>>
>> Tony.
>>
>
> So, I updated the settings. Now I have keyfiles generated by bind, as well as
> a binary .zone.signed in addition to the plain text .zone which has no DNSSEC
> information at all in it. I ran the signing routine and bind said it was
> signed good. So I obtained the DS and put in the registrar. Now I am getting
> SERVFAIL errors whenever I try to query my zone from another name server.
> Here's what I did:
>
> #dig newideatest.site dnskey | dnssec-dsfromkey -2 -f - newideatest.site
> newideatest.site. IN DS 49236 13 2 <LONG HASH>
>
> Ok. Copy the long hash to the Registrar, plug it in. Check, done that.
>
> # dig mx newideatest.site @8.8.4.4
>
> ; <<>> DiG 9.16.15 <<>> mx newideatest.site @8.8.4.4
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 631
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;newideatest.site. IN MX
>
> ;; Query time: 50 msec
> ;; SERVER: 8.8.4.4#53(8.8.4.4)
> ;; WHEN: Sat May 15 18:12:44 MDT 2021
> ;; MSG SIZE rcvd: 45
> ServFail?! WHAT?
This is a known bug fixed in BIND 9.11.25. Upgrade. Once the DS is added to
.site for
newideatest.site the resolution will work.
> So I go to DNSVIZ and run their test.
> Errors (9)
>
> • newideatest.site/A: No RRSIG covering the RRset was returned in the
> response. (31.220.30.73, 45.77.29.133, 103.6.87.125, 119.252.20.56,
> 2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5, 2403:2500:4000::f3e,
> 2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN)
> • newideatest.site/AAAA: No RRSIG covering the RRset was returned in
> the response. (31.220.30.73, 45.77.29.133, 103.6.87.125,
> 119.252.20.56, 2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5,
> 2403:2500:4000::f3e, 2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN)
> • newideatest.site/DNSKEY (alg 13, id 49236): No RRSIG covering the
> RRset was returned in the response. (31.220.30.73, 45.77.29.133,
> 103.6.87.125, 119.252.20.56, 2001:19f0:7001:381::3,
> 2401:1400:1:1201:0:1:7853:1a5, 2403:2500:4000::f3e, 2a04:bdc7:100:1b::3,
> UDP_-_EDNS0_4096_D_KN, UDP_-_EDNS0_512_D_KN)
> • newideatest.site/MX: No RRSIG covering the RRset was returned in the
> response. (31.220.30.73, 45.77.29.133, 103.6.87.125, 119.252.20.56,
> 2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5, 2403:2500:4000::f3e,
> 2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN, UDP_-_EDNS0_512_D_KN)
> • newideatest.site/NS: No RRSIG covering the RRset was returned in the
> response. (31.220.30.73, 45.77.29.133, 103.6.87.125, 119.252.20.56,
> 2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5, 2403:2500:4000::f3e,
> 2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN)
> • newideatest.site/SOA: No RRSIG covering the RRset was returned in the
> response. (31.220.30.73, 45.77.29.133, 103.6.87.125, 119.252.20.56,
> 2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5, 2403:2500:4000::f3e,
> 2a04:bdc7:100:1b::3, TCP_-_EDNS0_4096_D_N, UDP_-_EDNS0_4096_D_KN,
> UDP_-_EDNS0_4096_D_KN_0x20)
> • newideatest.site/TXT: No RRSIG covering the RRset was returned in the
> response. (31.220.30.73, 45.77.29.133, 103.6.87.125, 119.252.20.56,
> 2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5, 2403:2500:4000::f3e,
> 2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN)
> • site to newideatest.site: No valid RRSIGs made by a key corresponding
> to a DS RR were found covering the DNSKEY RRset, resulting in no secure entry
> point (SEP) into the zone. (31.220.30.73, 45.77.29.133, 103.6.87.125,
> 119.252.20.56, 2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5,
> 2403:2500:4000::f3e, 2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN,
> UDP_-_EDNS0_512_D_KN)
> • site to newideatest.site: The DS RRset for the zone included
> algorithm 13 (ECDSAP256SHA256), but no DS RR matched a DNSKEY with algorithm
> 13 that signs the zone's DNSKEY RRset. (31.220.30.73, 45.77.29.133,
> 103.6.87.125, 119.252.20.56, 2001:19f0:7001:381::3,
> 2401:1400:1:1201:0:1:7853:1a5, 2403:2500:4000::f3e, 2a04:bdc7:100:1b::3,
> UDP_-_EDNS0_4096_D_KN, UDP_-_EDNS0_512_D_KN)
> Warnings (13)
>
> • newideatest.site/A: The server responded with no OPT record, rather
> than with RCODE FORMERR. (31.220.30.73, 45.77.29.133, 103.6.87.125,
> 119.252.20.56, 2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5,
> 2403:2500:4000::f3e, 2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN)
> • newideatest.site/AAAA: The server responded with no OPT record,
> rather than with RCODE FORMERR. (31.220.30.73, 45.77.29.133, 103.6.87.125,
> 119.252.20.56, 2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5,
> 2403:2500:4000::f3e, 2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN)
> • newideatest.site/DNSKEY (alg 13, id 49236): The server responded with
> no OPT record, rather than with RCODE FORMERR. (31.220.30.73, 45.77.29.133,
> 103.6.87.125, 119.252.20.56, 2001:19f0:7001:381::3,
> 2401:1400:1:1201:0:1:7853:1a5, 2403:2500:4000::f3e, 2a04:bdc7:100:1b::3,
> UDP_-_EDNS0_4096_D_KN, UDP_-_EDNS0_512_D_KN)
> • newideatest.site/MX: The server responded with no OPT record, rather
> than with RCODE FORMERR. (31.220.30.73, 45.77.29.133, 103.6.87.125,
> 119.252.20.56, 2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5,
> 2403:2500:4000::f3e, 2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN,
> UDP_-_EDNS0_512_D_KN)
> • newideatest.site/NS: The server responded with no OPT record, rather
> than with RCODE FORMERR. (31.220.30.73, 45.77.29.133, 103.6.87.125,
> 119.252.20.56, 2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5,
> 2403:2500:4000::f3e, 2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN)
> • newideatest.site/SOA: The server responded with no OPT record, rather
> than with RCODE FORMERR. (31.220.30.73, 45.77.29.133,
> 103.6.87.125, 119.252.20.56, 2001:19f0:7001:381::3,
> 2401:1400:1:1201:0:1:7853:1a5, 2403:2500:4000::f3e, 2a04:bdc7:100:1b::3,
> TCP_-_EDNS0_4096_D_N, UDP_-_EDNS0_4096_D_KN, UDP_-_EDNS0_4096_D_KN_0x20)
> • newideatest.site/TXT: The server responded with no OPT record, rather
> than with RCODE FORMERR. (31.220.30.73, 45.77.29.133,
> 103.6.87.125, 119.252.20.56, 2001:19f0:7001:381::3,
> 2401:1400:1:1201:0:1:7853:1a5, 2403:2500:4000::f3e, 2a04:bdc7:100:1b::3,
> UDP_-_EDNS0_4096_D_KN)
> • site to newideatest.site: The following NS name(s) were found in the
> authoritative NS RRset, but not in the delegation NS RRset (i.e., in the site
> zone): jupiter.newideatest.site
> • site to newideatest.site: The following NS name(s) were found in the
> delegation NS RRset (i.e., in the site zone), but not in the authoritative NS
> RRset: jupiter.eglifamily.name
> • site/DS (alg 8, id 51676): DNSSEC specification prohibits signing
> with DS records that use digest algorithm 1 (SHA-1).
> • site/DS (alg 8, id 51676): DNSSEC specification prohibits signing
> with DS records that use digest algorithm 1 (SHA-1).
> • site/DS (alg 8, id 51676): DS records with digest type 1 (SHA-1) are
> ignored when DS records with digest type 2 (SHA-256) exist in the same RRset.
> • site/DS (alg 8, id 51676): DS records with digest type 1 (SHA-1) are
> ignored when DS records with digest type 2 (SHA-256) exist in the same RRset.
> So, what am I doing wrong? Here's the zone statement for the newideatest.site
> zone in my named.conf:
>
> zone "newideatest.site" {
> type master;
> file "pri/newideatest.zone";
> allow-query { any; };
> allow-transfer {
> 108.61.224.67; 116.203.6.3; 107.191.99.111; 185.22.172.112;
> 103.6.87.125; 192.184.93.99; 119.252.20.56; 31.220.30.73; 185.34.136.178;
> 185.136.176.247; 45.77.29.133; 116.203.0.64; 167.88.161.228; 199.195.249.208;
> 104.244.78.122; 2605:6400:30:fd6e::3; 2605:6400:10:65::3;
> 2605:6400:20:d5e::3; 2a01:4f8:1c0c:8122::3; 2001:19f0:7001:381::3;
> 2a06:fdc0:fade:2f7::1; 2a00:dcc7:d3ff:88b2::1; 2a04:bdc7:100:1b::3;
> 2401:1400:1:1201::1:7853:1a5; 2604:180:1:92a::3; 2403:2500:4000::f3e;
> 2a00:1838:20:2::cd5e:68e9; 2604:180:2:4cf::3;
> 2a01:4f8:1c0c:8115::3; 2001:19f0:6400:8642::3;
> };
> allow-update { trusted; };
> key-directory "/var/bind/pri/keys";
> inline-signing yes;
> dnssec-policy default;
> };
> };
> Help? If you have errors reaching me, try d...@eglifamily.name, as it doesn't
> seem to be having issues.
> --Dan Egli
> From my Test Server
>
> <OpenPGP_0x11B7451DF2015959.asc>_______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
