> OpenDNSSEC 2.1.13 running on FreeBSD 13.3.
>
> Recently, dnsviz.net started reporting the lack of "Denial of existence"
> DNSSEC
> option error for all my domains:
>
> ad2h.mydomain.org/A has errors; select the "Denial of existence" DNSSEC
> option to
> see them.
> mydomain.org/CDNSKEY has errors; select the "Denial of existence" DNSSEC
> option
> to see them.
> mydomain.org/CDS has errors; select the "Denial of existence" DNSSEC option to
> see them.
> mydomain.org/AAAA has errors; select the "Denial of existence" DNSSEC option
> to
> see them.
> mydomain.org/CNAME has errors; select the "Denial of existence" DNSSEC option
> to
> see them.
>
> Is this due to TTL commented in my kasp.xml or I miss some other settings?
It's commented out, so that ought not be the issue.
> <Denial>
> <NSEC3>
> <!-- <TTL>PT0S</TTL> -->
> <!-- <OptOut/> -->
> <Resalt>P100D</Resalt>
> <Hash>
> <Algorithm>1</Algorithm>
> <Iterations>5</Iterations>
> <Salt length="8"/>
> </Hash>
> </NSEC3>
> </Denial>
However, you didn't quote what the <Denial> stanza in your
<Policy>'s <Signature> / <Validity> entry looks like. Mine looks
like this:
<Policy name="xxx">
<Signatures>
...
<Validity>
<Default>P21D</Default>
<Denial>P21D</Denial>
</Validity>
...
and I don't think I'm seeing this issue flagged from dnsviz.net.
We're also running OpenDNSSEC 2.1.13.
The current operational recommendation is to use
<Iterations>0</Iterations>, though, ref. RFC 9276 section 3.1.
Hm, I notice that the recomendation is also to have a zero salt
length, see the same RFC.
Transitioning from this config to the new, if you do OpenDNSSEC
as a "bump on the wire", you may need to remove OpenDNSSEC's
temporary files (copies of zones + parameters), and re-transfer
them by restarting OpenDNSSEC. "Buyer beware!" (I had to do
that when going to Iterations=0, anyway. Your mileage may vary.)
Regards,
- HÃ¥vard
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
