Can you tell me if these are the correct steps to secure gtec-gru-gw.customer.a.aa? A listing of the records table is attached.
pdnssec rectify-zone customer.a.aa pdnssec add-zone-key customer.a.aa zsk pdnssec add-zone-key customer.a.aa ksk Is this correct and is there anything else that I would need to do? Thank you, -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Peter van Dijk Sent: Monday, September 24, 2012 12:25 PM To: pdns-users Users Subject: Re: [Pdns-users] DNSSEC Not Working for All Subdomains Hello Linda, On Sep 24, 2012, at 15:50 , Dougan, Linda A wrote: > Thank you for your help. I tried rectifying the zones and it did enter the > ordername and auth, but I am still not getting the DNSSEC answer from both > zones. It works for www.a.aa but not gtec-gru-gw.customer.a.aa see below. > Is "dig +dnssec +multiline @127.0.0.1 www.a.aa" the correct way to test it? > I have included listing of records data, see attachment. I am using pdns > version 3.0.1. Yes, that's a fine way to test it. Do note that we recommend against DNSSEC operation on 3.0 and 3.0.1. Version 3.1 has a lot of important DNSSEC fixes. However, your problems are not related to those fixes. > $ dig +dnssec +multiline @127.0.0.1 gtec-gru-gw.customer.a.aa > > ; <<>> DiG 9.9.1-P1 <<>> +dnssec +multiline @127.0.0.1 > gtec-gru-gw.customer.a.aa ; (1 server found) ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61077 ;; flags: qr > aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 2800 ;; QUESTION SECTION: > ;gtec-gru-gw.customer.a.aa. IN A > > ;; ANSWER SECTION: > gtec-gru-gw.customer.a.aa. 14400 IN A 209.251.128.86 Because this is a different zone (as we noticed in your dump), you also need to secure it separately. In DNSSEC, the boundaries between zones really are very important boundaries, and every zone has its own settings and keys. Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
mysql> select name,domain_id, type,ordername, auth from records where name like '%a.aa'; +-----------------------------------+-----------+-------+------------------+------+ | name | domain_id | type | ordername | auth | +-----------------------------------+-----------+-------+------------------+------+ | a.aa | 18 | SOA | | 1 | | a.aa | 18 | NS | | 1 | | a.aa | 18 | A | | 1 | | ns1.a.aa | 18 | A | ns1 | 1 | | ns2.a.aa | 18 | A | ns2 | 1 | | tnt-gw.a.aa | 18 | A | tnt-gw | 1 | | tnt1.a.aa | 18 | A | tnt1 | 1 | | tnt2.a.aa | 18 | A | tnt2 | 1 | | tnt-gw2.a.aa | 18 | A | tnt-gw2 | 1 | | tnt-gw1.a.aa | 18 | A | tnt-gw1 | 1 | | sesm-gw.a.aa | 18 | A | sesm-gw | 1 | | sesm1.a.aa | 18 | CNAME | sesm1 | 1 | | sesm2.a.aa | 18 | CNAME | sesm2 | 1 | | sesm.a.aa | 18 | A | sesm | 1 | | ssg1.a.aa | 18 | A | ssg1 | 1 | | ssg2.a.aa | 18 | A | ssg2 | 1 | | ssg1-co1-gw.a.aa | 18 | A | ssg1-co1-gw | 1 | | ssg2-co2-gw.a.aa | 18 | A | ssg2-co2-gw | 1 | | co1-ssg1-gw.a.aa | 18 | A | co1-ssg1-gw | 1 | | co2-ssg2-gw.a.aa | 18 | A | co2-ssg2-gw | 1 | | ssg-internet-gw.a.aa | 18 | A | ssg-internet-gw | 1 | | nagios1.a.aa | 18 | A | nagios1 | 1 | | relay1.a.aa | 18 | A | relay1 | 1 | | relay2.a.aa | 18 | A | relay2 | 1 | | ems1.a.aa | 18 | A | ems1 | 1 | | pwas2.a.aa | 18 | CNAME | pwas2 | 1 | | pwas.a.aa | 18 | A | pwas | 1 | | pwasdocs.a.aa | 18 | A | pwasdocs | 1 | | gcdb.a.aa | 18 | A | gcdb | 1 | | gcdb1.a.aa | 18 | A | gcdb1 | 1 | | gcdb2.a.aa | 18 | A | gcdb2 | 1 | | gc1.a.aa | 18 | A | gc1 | 1 | | gc2.a.aa | 18 | A | gc2 | 1 | | gc3.a.aa | 18 | A | gc3 | 1 | | gc4.a.aa | 18 | A | gc4 | 1 | | voip1.a.aa | 18 | A | voip1 | 1 | | inbound.smtp.a.aa | 18 | A | smtp inbound | 1 | | inbound.smtp.a.aa | 18 | A | smtp inbound | 1 | | outbound.smtp.a.aa | 18 | A | smtp outbound | 1 | | outbound.smtp.a.aa | 18 | A | smtp outbound | 1 | | relay.smtp.a.aa | 18 | CNAME | smtp relay | 1 | | ftp.a.aa | 18 | A | ftp | 1 | | mail.a.aa | 18 | A | mail | 1 | | smtp.a.aa | 18 | A | smtp | 1 | | pop.a.aa | 18 | A | pop | 1 | | pop3.a.aa | 18 | A | pop3 | 1 | | imap.a.aa | 18 | A | imap | 1 | | nagios.a.aa | 18 | CNAME | nagios | 1 | | news.a.aa | 18 | CNAME | news | 1 | | ntp.a.aa | 18 | A | ntp | 1 | | scripts.a.aa | 18 | CNAME | scripts | 1 | | speedtest.a.aa | 18 | CNAME | speedtest | 1 | | tickets.a.aa | 18 | A | tickets | 1 | | user.a.aa | 18 | CNAME | user | 1 | | *.user.a.aa | 18 | CNAME | user * | 1 | | webcast.a.aa | 18 | CNAME | webcast | 1 | | webmail.a.aa | 18 | A | webmail | 1 | | www.a.aa | 18 | A | www | 1 | | eupdates.a.aa | 18 | A | eupdates | 1 | | eupdates.a.aa | 18 | MX | eupdates | 1 | | gru-fal-gw.customer.a.aa | 87 | A | gru-fal-gw | 1 | | fal-gru-gw.customer.a.aa | 87 | A | fal-gru-gw | 1 | | gru-therock-gw.customer.a.aa | 87 | A | gru-therock-gw | 1 | | therock-gru-gw.customer.a.aa | 87 | A | therock-gru-gw | 1 | | gru-cardio-gw.customer.a.aa | 87 | A | gru-cardio-gw | 1 | | cardio-gru-gw.customer.a.aa | 87 | A | cardio-gru-gw | 1 | | gru-asterisk-gw.customer.a.aa | 87 | A | gru-asterisk-gw | 1 | | asterisk-gru-gw.customer.a.aa | 87 | A | asterisk-gru-gw | 1 | | gru-barrsys-gw.customer.a.aa | 87 | A | gru-barrsys-gw | 1 | | barrsys-gru-gw.customer.a.aa | 87 | A | barrsys-gru-gw | 1 | | gru-blueskies-gw.customer.a.aa | 87 | A | gru-blueskies-gw | 1 | | blueskies-gru-gw.customer.a.aa | 87 | A | blueskies-gru-gw | 1 | | gru-alligator-gw.customer.a.aa | 87 | A | gru-alligator-gw | 1 | | alligator-gru-gw.customer.a.aa | 87 | A | alligator-gru-gw | 1 | | gru-352-gw.customer.a.aa | 87 | A | gru-352-gw | 1 | | 352-gru-gw.customer.a.aa | 87 | A | 352-gru-gw | 1 | | gru-symo-gw.customer.a.aa | 87 | A | gru-symo-gw | 1 | | symo-gru-gw.customer.a.aa | 87 | A | symo-gru-gw | 1 | | gru-hkw-gw.customer.a.aa | 87 | A | gru-hkw-gw | 1 | | hkw-gru-gw.customer.a.aa | 87 | A | hkw-gru-gw | 1 | | gru-lw-gw.customer.a.aa | 87 | A | gru-lw-gw | 1 | | lw-gru-gw.customer.a.aa | 87 | A | lw-gru-gw | 1 | | gru-drxc-gw.customer.a.aa | 87 | A | gru-drxc-gw | 1 | | drxc-gru-gw.customer.a.aa | 87 | A | drxc-gru-gw | 1 | | gru-gpd-gw.customer.a.aa | 87 | A | gru-gpd-gw | 1 | | gpd-gru-gw.customer.a.aa | 87 | A | gpd-gru-gw | 1 | | gru-3001-gw.customer.a.aa | 87 | A | gru-3001-gw | 1 | | 3001-gru-gw.customer.a.aa | 87 | A | 3001-gru-gw | 1 | | gru-ufhotel-gw.customer.a.aa | 87 | A | gru-ufhotel-gw | 1 | | ufhotel-gru-gw.customer.a.aa | 87 | A | ufhotel-gru-gw | 1 | | gru-infenergy-gw.customer.a.aa | 87 | A | gru-infenergy-gw | 1 | | infenergy-gru-gw.customer.a.aa | 87 | A | infenergy-gru-gw | 1 | | gru-gtec-gw.customer.a.aa | 87 | A | gru-gtec-gw | 1 | | gtec-gru-gw.customer.a.aa | 87 | A | gtec-gru-gw | 1 | | gru-mfaaa-gw.customer.a.aa | 87 | A | gru-mfaaa-gw | 1 | | mfaaa-gru-gw.customer.a.aa | 87 | A | mfaaa-gru-gw | 1 | | gru-mri-gw.customer.a.aa | 87 | A | gru-mri-gw | 1 | | mri-gru-gw.customer.a.aa | 87 | A | mri-gru-gw | 1 | +-----------------------------------+-----------+-------+------------------+------+ 98 rows in set (0.01 sec)
_______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
