Re: Problem with DNSSEC signing zone

2012-07-20 Thread Doug Barton
On 07/20/2012 07:05, Casey Deccio wrote:
> On Fri, Jul 20, 2012 at 2:52 AM, William Thierry SAMEN
> mailto:thierry.sa...@gmail.com>> wrote:
> 
> i just have a problem with my zone signing output i made all the
> steps to obtain a good result.
> 
> ...
> 
> my zone name is *willzik.co.uk *
> 
> **
> 
> I'm getting an NXDOMAIN response from the co.uk  servers,
> rather than a delegation referral:

That domain isn't registered.

-- 
If you're never wrong, you're not trying hard enough


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Error: already exists previous definition

2012-07-20 Thread Mark Andrews

In message <20120720204053.43b5615e...@da1.active-domain.com>, Active Venture -
 Tom writes:
> Hi
> 
> We have getting a lot of errors like the following from our BIND 9 
> servers (9.5.1.1):

9.5.1 has know security flaws and was end of lifed several years ago.
 
> 20-Jul-2012 15:26:40.181 config: error: 
> /var/named/etc/namedb/conf/zone_0.conf:1529: zone 'x.net': 
> already exists previous definition: /var/named/etc/namedb/conf/zone_0.conf:15
> 29
> 20-Jul-2012 15:26:46.270 general: error: reloading configuration 
> failed: failure
> 
> This has never ever happened before and the problem only started a 
> few days day, and we did not make any changes to our BIND servers.

That you remember or someone is honest enough to admit to.

The error looks like you have included a configuration file twice.

> In 
> fact, we have using the same set up and configuration for over 3 
> years without any problem until now.
> 
> The puzzling aspect is, there is NO duplicated config or zone entries 
> at all for the domains listed in such error. In this instance, this 
> is the only line found in zone_0.conf:
> 
> zone "x.net" {type master; file 
> "/var/named/etc/namedb/zones/0/x.net"; notify no; };
> 
> I will appreciate greatly if someone could offer any advise or idea 
> as to what's exactly causing such errors? Thanks vert much.
> 
> Regards,
> 
> Tom
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: named validating @0x...: ... SOA: no valid signature found

2012-07-20 Thread Mark Andrews

In message <500985c0.3000...@interlinx.bc.ca>, "Brian J. Murrell" writes:
> On 12-07-20 11:40 AM, Mark Andrews wrote:
> >=20
> > In message <500978a5.4070...@imperial.ac.uk>, Phil Mayers writes:
> >> On 20/07/12 16:21, Mark Andrews wrote:
> >>>
> >>> In message <50096c2b.1080...@interlinx.bc.ca>, "Brian J. Murrell" wri=
> tes:
>  Just for good measure, since I think I have posted this before, but =
> here
>  are the options I have set in my bind configuration with regard to d=
> nssec=3D
>  :
> 
>   dnssec-enable yes;
>   dnssec-validation yes;
>   dnssec-lookaside auto;
> >=20
> > My bad.  "dnssec-validation auto;" is what I was thinking about.
> 
> Interesting.  Is "auto" for that value different/better than "yes",
> which I have configured already?
> 
> Cheers,
> b.

"dnssec-validation auto;" tells named to use the compiled
in root key in addition to enabling validation.  Depending
on the version this is a plain trusted-key or a managed-key.

If NS_SYSCONFDIR/bind.keys exists and is readable its contents
override the built in contents.

The root key(s) and dlv.isc.org key(s) are loaded from this
file for dnssec-validation auto; and dnssec-lookaside auto;
respectively.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Error: already exists previous definition

2012-07-20 Thread Tony Finch
On 20 Jul 2012, at 21:40, Active Venture - Tom  wrote:
> 
> 20-Jul-2012 15:26:40.181 config: error: 
> /var/named/etc/namedb/conf/zone_0.conf:1529: zone 'x.net': already exists 
> previous definition: /var/named/etc/namedb/conf/zone_0.conf:1529
> 20-Jul-2012 15:26:46.270 general: error: reloading configuration failed: 
> failure
> 
> The puzzling aspect is, there is NO duplicated config or zone entries at all 
> for the domains listed in such error.

Are there any duplicate include directives?

Tony.
--
f.anthony.n.finchhttp://dotat.at/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Error: already exists previous definition

2012-07-20 Thread Active Venture - Tom

Hi

We have getting a lot of errors like the following from our BIND 9 
servers (9.5.1.1):


20-Jul-2012 15:26:40.181 config: error: 
/var/named/etc/namedb/conf/zone_0.conf:1529: zone 'x.net': 
already exists previous definition: /var/named/etc/namedb/conf/zone_0.conf:1529
20-Jul-2012 15:26:46.270 general: error: reloading configuration 
failed: failure


This has never ever happened before and the problem only started a 
few days day, and we did not make any changes to our BIND servers. In 
fact, we have using the same set up and configuration for over 3 
years without any problem until now.


The puzzling aspect is, there is NO duplicated config or zone entries 
at all for the domains listed in such error. In this instance, this 
is the only line found in zone_0.conf:


zone "x.net" {type master; file 
"/var/named/etc/namedb/zones/0/x.net"; notify no; };


I will appreciate greatly if someone could offer any advise or idea 
as to what's exactly causing such errors? Thanks vert much.


Regards,

Tom

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: named validating @0x...: ... SOA: no valid signature found

2012-07-20 Thread Brian J. Murrell
On 12-07-20 11:40 AM, Mark Andrews wrote:
> 
> In message <500978a5.4070...@imperial.ac.uk>, Phil Mayers writes:
>> On 20/07/12 16:21, Mark Andrews wrote:
>>>
>>> In message <50096c2b.1080...@interlinx.bc.ca>, "Brian J. Murrell" writes:
 Just for good measure, since I think I have posted this before, but here
 are the options I have set in my bind configuration with regard to dnssec=
 :

  dnssec-enable yes;
  dnssec-validation yes;
  dnssec-lookaside auto;
> 
>   My bad.  "dnssec-validation auto;" is what I was thinking about.

Interesting.  Is "auto" for that value different/better than "yes",
which I have configured already?

Cheers,
b.




signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named validating @0x...: ... SOA: no valid signature found

2012-07-20 Thread Mark Andrews

In message <500978a5.4070...@imperial.ac.uk>, Phil Mayers writes:
> On 20/07/12 16:21, Mark Andrews wrote:
> >
> > In message <50096c2b.1080...@interlinx.bc.ca>, "Brian J. Murrell" writes:
> >> Just for good measure, since I think I have posted this before, but here
> >> are the options I have set in my bind configuration with regard to dnssec=
> >> :
> >>
> >>  dnssec-enable yes;
> >>  dnssec-validation yes;
> >>  dnssec-lookaside auto;
> 
> FWIW, on 9.8 the only other line we have (for reasons of permissions) is:
> 
>managed-keys-directory "/var/named/data/dynamic";
> 
> I don't see why those 3 lines aren't sufficient for him?
> 
> >
> > Turn on validation using the root's DNSKEY.
> >
> > auto-dnssec maintian;
> 
> I thought that was for master zones, not recursion/validation? Or am I 
> missing something?

My bad.  "dnssec-validation auto;" is what I was thinking about.

> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: named validating @0x...: ... SOA: no valid signature found

2012-07-20 Thread Phil Mayers

On 20/07/12 16:21, Mark Andrews wrote:


In message <50096c2b.1080...@interlinx.bc.ca>, "Brian J. Murrell" writes:

Just for good measure, since I think I have posted this before, but here
are the options I have set in my bind configuration with regard to dnssec=
:

 dnssec-enable yes;
 dnssec-validation yes;
 dnssec-lookaside auto;


FWIW, on 9.8 the only other line we have (for reasons of permissions) is:

  managed-keys-directory "/var/named/data/dynamic";

I don't see why those 3 lines aren't sufficient for him?



Turn on validation using the root's DNSKEY.

auto-dnssec maintian;


I thought that was for master zones, not recursion/validation? Or am I 
missing something?

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: named validating @0x...: ... SOA: no valid signature found

2012-07-20 Thread Mark Andrews

In message <50096c2b.1080...@interlinx.bc.ca>, "Brian J. Murrell" writes:
> Just for good measure, since I think I have posted this before, but here
> are the options I have set in my bind configuration with regard to dnssec=
> :
> 
> dnssec-enable yes;
> dnssec-validation yes;
> dnssec-lookaside auto;

Turn on validation using the root's DNSKEY.

auto-dnssec maintian;

or

managed-keys {
. initial-key 257 3 8 
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
};

Currently you are only using DLV and 119.in-addr.arpa and parent zones
are not in the DLV registry.

> 
> Cheers,
> b.
> 
> 
> --enig5965E6494F1E722963B87E50
> Content-Type: application/pgp-signature; name="signature.asc"
> Content-Description: OpenPGP digital signature
> Content-Disposition: attachment; filename="signature.asc"
> 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAlAJbCwACgkQl3EQlGLyuXBbywCcDYbboiJuyhXfP9AuztJjJana
> ZhcAoNgNAIdBwEbR9ZjpHTl7S9xlZrSB
> =CrUS
> -END PGP SIGNATURE-
> 
> --enig5965E6494F1E722963B87E50--
> 
> 
> --===7481589219356167105==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --===7481589219356167105==--
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: named validating @0x...: ... SOA: no valid signature found

2012-07-20 Thread Phil Mayers

On 20/07/12 15:33, Brian J. Murrell wrote:

On 12-07-20 09:11 AM, Phil Mayers wrote:


Or, what happens if you start bind up in debug mode and run the query?
There will be a lot of output, but I've found most problems to be fairly
obvious if you read through it.


Yeah, there is a lot of output.  Too big of a haystack for me to find
the needle I'm afraid.  I probably had way too much debug enabled.  I'd
be happy to trim it back if desired.  Just tell me which categories
you'd want to see and what severity to set.

In any case, the log is at
http://brian.interlinx.bc.ca/119.in-addr.arpa.debug and the query I did was:




A quick skim suggests that you aren't able to validate the root, but are 
able to validate DLV, which is why a subset of sites are working - those 
still with DLV entries.


If you can validate www.ic.ac.uk but not www.cam.ac.uk (who have now 
left DLV) then this might confirm it.


No idea why the root isn't valid for you, given you are running a recent 
bind - presumably the managed-keys config is messed up somehow.


Have you tried a clean install; blow away the entire /var/named and 
config hierarchy and start again?

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: named validating @0x...: ... SOA: no valid signature found

2012-07-20 Thread Brian J. Murrell
On 12-07-20 10:42 AM, Mark Andrews wrote:
>  
> The NS RRset is the delegation records and as such has no RRSIGs.
> If you turn on minimal-responses the NS rrset won't be added and
> AD won't be cleared.  AD is only set to 1 if all the records in the
> answer and authority sections are marked as secure.

OK.  So I added:

minimal-responses yes;

and the dig response does indeed look much more "minimal", but the
ad bit is still not being set:

# dig +dnssec @localhost 119.in-addr.arpa SOA

; <<>> DiG 9.9.1-P1 <<>> +dnssec @localhost 119.in-addr.arpa SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45253
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;119.in-addr.arpa.  IN  SOA

;; ANSWER SECTION:
119.in-addr.arpa.   172800  IN  SOA ns1.apnic.net. 
read-txt-record-of-zone-first-dns-admin.apnic.net. 3006082431 7200 1800 604800 
172800
119.in-addr.arpa.   172800  IN  RRSIG   SOA 5 3 172800 20120819055026 
20120720045026 31291 119.in-addr.arpa. 
DxSB8J+SsHzLRv/qiFdQOLQ4eYEgCm6lUGr5/qoMje7iY9OIaaXmH/WM 
GwbTDdT7YNXfkZ7ZfpEnE5N9OeNW6Wghi8Wcerpy3OmEYMTWc1ZNgH70 
KC8Rhth23mCkv+IdCEsirVKdgTgLYsRlPFMbp6WQveMQRyJwvGJQm4QI Ejk=

;; Query time: 720 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jul 20 10:50:21 2012
;; MSG SIZE  rcvd: 310

Strangely I didn't get an error logged about there being no valid
signature for 119.in-addr.arpa SOA though.

Cheers,
b.



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named validating @0x...: ... SOA: no valid signature found

2012-07-20 Thread Mark Andrews

In message , "Brian J. Murrell" writes:
> On 12-07-20 08:34 AM, Brian J. Murrell wrote:
> >=20
> > The problem here seems to be fragmented UDP.
> 
> I seem to have misdiagnosed this due to tcpdump peculiarities.  I only
> initially saw/suspected the problem since my capture for port 53
> packets was including (only the first) ipv4 fragments.  When adding a
> capture specifically to get all ipv4 fragments in addition to my port
> 53 packets, I do see all of the fragments.
> 
> So back to the drawing board.
> 
> In my previous posting, I was able to demonstrate that I do get some
> queries authenticated, but others (corresponding to the errors in my
> logs) are not.  For example:
> 
> Jul 20 08:59:37 linux named[17472]:   validating @0xf48d01b0: 119.in-addr=
> =2Earpa SOA: no valid signature found
> 
> and sure enough:
> 
> # dig +dnssec @localhost 119.in-addr.arpa SOA
> 
> ; <<>> DiG 9.9.1-P1 <<>> +dnssec @localhost 119.in-addr.arpa SOA
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49713
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 14
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;119.in-addr.arpa.  IN  SOA
> 
> ;; ANSWER SECTION:
> 119.in-addr.arpa.   172800  IN  SOA ns1.apnic.net. read-txt-r=
> ecord-of-zone-first-dns-admin.apnic.net. 3006082431 7200 1800 604800 1728=
> 00
> 119.in-addr.arpa.   172800  IN  RRSIG   SOA 5 3 172800 2012081905=
> 5026 20120720045026 31291 119.in-addr.arpa. DxSB8J+SsHzLRv/qiFdQOLQ4eYEgC=
> m6lUGr5/qoMje7iY9OIaaXmH/WM GwbTDdT7YNXfkZ7ZfpEnE5N9OeNW6Wghi8Wcerpy3OmEY=
> MTWc1ZNgH70 KC8Rhth23mCkv+IdCEsirVKdgTgLYsRlPFMbp6WQveMQRyJwvGJQm4QI Ejk=3D=
> 
> 
> ;; AUTHORITY SECTION:
> 119.in-addr.arpa.   78212   IN  NS  ns1.apnic.net.
> 119.in-addr.arpa.   78212   IN  NS  sec1.authdns.ripe.net.
> 119.in-addr.arpa.   78212   IN  NS  ns2.lacnic.net.
> 119.in-addr.arpa.   78212   IN  NS  ns4.apnic.net.
> 119.in-addr.arpa.   78212   IN  NS  ns3.apnic.net.
> 119.in-addr.arpa.   78212   IN  NS  apnic1.dnsnode.net.
> 119.in-addr.arpa.   78212   IN  NS  tinnie.arin.net.
> 
> ;; ADDITIONAL SECTION:
> ns1.apnic.net.  167 IN  A   202.12.29.25
> ns1.apnic.net.  164129  IN  2001:dc0:2001:0:4608::25
> ns2.lacnic.net. 82967   IN  A   200.3.13.11
> ns2.lacnic.net. 164257  IN  2001:13c7:7002:3000::11
> ns3.apnic.net.  167 IN  A   202.12.28.131
> ns3.apnic.net.  164129  IN  2001:dc0:1:0:4777::131
> ns4.apnic.net.  167 IN  A   202.12.31.140
> ns4.apnic.net.  164129  IN  2001:dc0:4001:1:0:1836:0:=
> 140
> sec1.authdns.ripe.net.  167 IN  A   193.0.9.3
> apnic1.dnsnode.net. 3767IN  A   194.146.106.106
> tinnie.arin.net.35918   IN  A   199.212.0.53
> tinnie.arin.net.35918   IN  2001:500:13::c7d4:35
> sec1.authdns.ripe.net.  167 IN  RRSIG   A 5 4 3600 20120819100246=
>  20120720090246 16848 ripe.net. PnInozslOygv30AuohnYIzlCkeShxybKYeZ4114kp=
> ClfsMB/t3liXNmw in7Ha8Mh1mOZFtv2lvYDNlnrZgO65xXkUwsH2iz1jCMFU6ZjwGhqVhaX =
> PpN6T6BXDHSohpFkVlx0yu9J7BcPMuCD6FJB5yLF4V0UUkJoPOXFAKBa mto=3D
> 
> ;; Query time: 239 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Fri Jul 20 09:02:18 2012
> ;; MSG SIZE  rcvd: 892
> 
> no "ad" bit set.
> 
> But why?
 
The NS RRset is the delegation records and as such has no RRSIGs.
If you turn on minimal-responses the NS rrset won't be added and
AD won't be cleared.  AD is only set to 1 if all the records in the
answer and authority sections are marked as secure.

> Cheers,
> b.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: named validating @0x...: ... SOA: no valid signature found

2012-07-20 Thread Brian J. Murrell
On 12-07-20 09:11 AM, Phil Mayers wrote:
> 
> Or, what happens if you start bind up in debug mode and run the query?
> There will be a lot of output, but I've found most problems to be fairly
> obvious if you read through it.

Yeah, there is a lot of output.  Too big of a haystack for me to find
the needle I'm afraid.  I probably had way too much debug enabled.  I'd
be happy to trim it back if desired.  Just tell me which categories
you'd want to see and what severity to set.

In any case, the log is at
http://brian.interlinx.bc.ca/119.in-addr.arpa.debug and the query I did was:

dig +dnssec @localhost 119.in-addr.arpa SOA

The log should be as brief as it can be as I started named, did the
query and waited for the response and then stopped bind.

Just for good measure, since I think I have posted this before, but here
are the options I have set in my bind configuration with regard to dnssec:

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

Cheers,
b.



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Problem with DNSSEC signing zone

2012-07-20 Thread Spain, Dr. Jeffry A.
> all this step has been well done, but the last step:
> Generate DS records and provide them to your registrar.
> has not been fluent for me. I found how can i provide key to the registrar i 
> used this command:
> dnssec-dsfromkey -2 Kwillzik.co.uk KSK.key  "is it the good way to do?"

That command will generate the DS record for you. The procedure for getting the 
DS record into the parent zone, co.uk in this case, depends on your DNS 
registrar. For example, I use GoDaddy.com, and on their domain management 
website, there is a "Manage DS records" page where you can paste in the key 
digest and certain other information. Not all registrars support DNSSEC DS 
record management, so you may have to transfer your domain to one who does. See 
http://www.icann.org/en/news/in-focus/dnssec/deployment for a list.

> Please tell me how can i bring down this matter and have my AD flag when i 
> made my dig.
The key point to recognize, as stated previously in Carsten Strotmann's post, 
is that you have to query a DNSSEC-enabled recursive resolver to possibly get 
an AD flag returned. Your own authoritative name server will never return an AD 
flag. See https://www.dns-oarc.net/oarc/services/odvr for one that is available 
publicly. Also you can test your zone at http://dnsviz.net to see if there are 
any missing links in your chain of trust from the DNS root.

Best Regards, Jeff.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: named validating @0x...: ... SOA: no valid signature found

2012-07-20 Thread Casey Deccio
On Fri, Jul 20, 2012 at 6:03 AM, Brian J. Murrell wrote:

> On 12-07-20 08:34 AM, Brian J. Murrell wrote:
> >
> > The problem here seems to be fragmented UDP.
>
> I seem to have misdiagnosed this due to tcpdump peculiarities.  I only
> initially saw/suspected the problem since my capture for port 53
> packets was including (only the first) ipv4 fragments.  When adding a
> capture specifically to get all ipv4 fragments in addition to my port
> 53 packets, I do see all of the fragments.
>
>
Just because you see the fragments on the wire doesn't mean they're getting
past the local firewall and being reassembled.  For example, if you're
using ip6tables on a Linux kernel <= 2.6.20 IPv6 fragments aren't allowed
through properly [1].  What OS/kernel are you using?

Casey

[1] See https://dnssec.surfnet.nl/?p=464
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problem with DNSSEC signing zone

2012-07-20 Thread Casey Deccio
On Fri, Jul 20, 2012 at 2:52 AM, William Thierry SAMEN <
thierry.sa...@gmail.com> wrote:

> i just have a problem with my zone signing output i made all the steps to
> obtain a good result.

...

> my zone name is *willzik.co.uk*
>
**
>
I'm getting an NXDOMAIN response from the co.uk servers, rather than a
delegation referral:

$ dig @nsa.nic.uk willzik.co.uk | grep status
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 63301

It appears that you don't have delegation (NS) records in co.uk for
willzik.co.uk.

Casey
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named validating @0x...: ... SOA: no valid signature found

2012-07-20 Thread Mark Andrews

In message <50095065.3050...@interlinx.bc.ca>, "Brian J. Murrell" writes:
> 
> On 12-05-15 09:01 AM, Phil Mayers wrote:
> >=20
> 
> Sorry about the way delayed response.  There seems to be some confusion
> about which list/group gmane is following.
> =20
> > Isn't it more likely it's a local problem?
> 
> Indeed.  But what, is the question (and I do have the answer, now --
> see below).
> 
> > Which version of bind are you running?
> 
> I was running 9.8.3 and now 9.9.1-P1
> 
> > Does *any* zone validate
> 
> Yes.
> 
> > e.g. try:
> >=20
> > dig +dnssec @localhost www.ic.ac.uk
> 
> # dig +dnssec @localhost www.ic.ac.uk
> 
> ; <<>> DiG 9.9.1-P1 <<>> +dnssec @localhost www.ic.ac.uk
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 725
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 13
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;www.ic.ac.uk.  IN  A
> 
> ;; ANSWER SECTION:
> www.ic.ac.uk.   3600IN  A   155.198.140.14
> www.ic.ac.uk.   3600IN  RRSIG   A 5 4 3600 20120812165527=
>  20120713164639 4743 ic.ac.uk. UZDw0aM0xPFXAmb5/PReP8hSWR/eNmMA479JFoZyHm=
> xRrepTaJWLya+R 1F2Y2LI/T12QlFkw09KBsgZo+hGr2MWfPyMAjNttzDLCqGM7dDNBUnuz H=
> 4G7DUnTvpnIV3VcLHqIh2z+j5ZmBb4+O4MIbNbBh8reVIacM8jgGNPH Evs=3D
> 
> ;; AUTHORITY SECTION:
> ic.ac.uk.   86400   IN  NS  ns1.ic.ac.uk.
> ic.ac.uk.   86400   IN  NS  authdns1.csx.cam.ac.uk.
> ic.ac.uk.   86400   IN  NS  ns2.ic.ac.uk.
> ic.ac.uk.   86400   IN  NS  ns0.ic.ac.uk.
> ic.ac.uk.   86400   IN  RRSIG   NS 5 3 86400 201208062130=
> 24 20120707210235 4743 ic.ac.uk. AYa7xE/1ZDMvt0c1wGY/+eu4vgbJm4EV+i+1YYZh=
> tLu44bdnHndfptNZ ECxeOI8JVeaKUq1zPspK9UnTCLFDkfCq9cIVFjZhpHQSPHtd3Vss40Vl=
>  gKrOG6qm4RfmPbLaUDKxu/LsR/W+iRbbiwI2fsso34BTUJeKPZGwqHPG j9k=3D
> 
> ;; ADDITIONAL SECTION:
> ns0.ic.ac.uk.   86400   IN  A   155.198.142.80
> ns0.ic.ac.uk.   86400   IN  2001:630:12:600:1::80
> ns1.ic.ac.uk.   86400   IN  A   155.198.142.81
> ns1.ic.ac.uk.   86400   IN  2001:630:12:600:1::81
> ns2.ic.ac.uk.   86400   IN  A   155.198.142.82
> authdns1.csx.cam.ac.uk. 86400   IN  A   131.111.12.37
> authdns1.csx.cam.ac.uk. 86400   IN  2001:630:212:12::d:a1
> ns0.ic.ac.uk.   86400   IN  RRSIG   A 5 4 86400 2012080716470=
> 6 20120708162343 4743 ic.ac.uk. SDz7qZbq+O/SMopAP4L1W9QeeuJu6+vBW25h4WIoD=
> mFgXb+OPx3/M/6H 6pBFUpO2XoBfurRHly0r2yy7C4x3X7vth8nT9Xo16ZL9nauYwbUIM3f3 =
> zDECyEzrkPf8EDcwRYycOJfcKcAlxG0FiPBav+WJW8PNMR43YAsr6w5D ZLU=3D
> ns0.ic.ac.uk.   300 IN  RRSIG    5 4 300 201208091427=
> 48 20120710132748 4743 ic.ac.uk. U+LTVkUNoTWXNTabEd/rt15qze4iLWhDFyw+inaY=
> gToGxYA5y3JS+fnx qfe2+GUFSLOz/Xo6czEe7728vCLgXzLQckAyS3g56NUfHKyXO1WWa6lQ=
>  k1r9UoNOSj5vTu0YLQN1FgP4aSFjowZzeQtbX//aDXZEVHKjNz4UFwBA zPs=3D
> ns1.ic.ac.uk.   86400   IN  RRSIG   A 5 4 86400 2012081601565=
> 7 20120717011404 4743 ic.ac.uk. dFRwdOkf670aLyyLtnLAYwo18XQGIFgT8YWQukrsj=
> 514pINSR5WUkcpd ReUOGLy9+RDEfpWwDsvdp1DLrxbUzElTF5Qkg/1d76qqB6WxmnQq6lqz =
> r5zKgfh9GNZHKrAOzvLcxlUFhd2xm1NXjktjIhb6CLH+qrJRR9h9+Zxy MlQ=3D
> ns1.ic.ac.uk.   300 IN  RRSIG    5 4 300 201208091427=
> 48 20120710132748 4743 ic.ac.uk. OBSX8EyrqDcE6QzArCOaecx3Rf5fuBqfMctc/6M+=
> 3SnCHqQ9Dzp0YZly 2f6OJXu2JCrR4lGEUfgnA8rXDCKLgkzVIWFZi4y0GVuY2VHXhBptT9ri=
>  P0xRDqytbK9FAmIQMjn0gVuRBA6FhHhalh59FrcimXT/DyEj3TjsW2iD IsQ=3D
> ns2.ic.ac.uk.   86400   IN  RRSIG   A 5 4 86400 2012080406501=
> 1 20120705063843 4743 ic.ac.uk. IQ9KZAqCZLRpDwSpFpwor5ru7ltRfgBkFITKVs5IC=
> z0fGrMQ9uWeWVY2 CLNVmPeXtMseId7Y67+CM4q2Zu+zfBtSiLlDbbqD13FnSdmjqLCHF4PG =
> 7UVW1Z9uqjSHndKuuXeihNUSogyDZyoqf1b4SRcmRwOjgsM7HX0gWy87 jBs=3D
> 
> ;; Query time: 451 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Fri Jul 20 07:24:59 2012
> ;; MSG SIZE  rcvd: 1466
> =20
> > ...and you should see:
> >=20
> > ; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18199
> > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 8, ADDITIONAL: 1=
> 1
> >=20
> > Note the "ad" flag - "authenticated data".
> 
> Yup, I did see that.
> 
> The problem here seems to be fragmented UDP.  I only ever receive the
> first fragment.  Since I am tcpdumping on the external interface of my
> router, I know it's not my router dropping it (which does have an
> iptables policy installed, but tcpdump happens before iptables AFAIU;
> that is you see *everything* with tcpdump, even on an interface where
> iptables is set to drop traffic).  I can only assume it's my ISP or
> something upstream.

They are most probably permitting the responses based on the UDP
ports but as the fragments don't have the UDP header they are dropped.

"pass udp from any to any fra

Re: named validating @0x...: ... SOA: no valid signature found

2012-07-20 Thread Phil Mayers

On 20/07/12 14:03, Brian J. Murrell wrote:


# dig +dnssec @localhost 119.in-addr.arpa SOA

; <<>> DiG 9.9.1-P1 <<>> +dnssec @localhost 119.in-addr.arpa SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49713
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 14


What do you see if you:

 1. Clear the cache
 2. Start tcpdump
 3. Do this query

Presumably there is a failing DNS query somewhere underlying this.

Or, what happens if you start bind up in debug mode and run the query? 
There will be a lot of output, but I've found most problems to be fairly 
obvious if you read through it.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: named validating @0x...: ... SOA: no valid signature found

2012-07-20 Thread Brian J. Murrell
On 12-07-20 08:34 AM, Brian J. Murrell wrote:
> 
> The problem here seems to be fragmented UDP.

I seem to have misdiagnosed this due to tcpdump peculiarities.  I only
initially saw/suspected the problem since my capture for port 53
packets was including (only the first) ipv4 fragments.  When adding a
capture specifically to get all ipv4 fragments in addition to my port
53 packets, I do see all of the fragments.

So back to the drawing board.

In my previous posting, I was able to demonstrate that I do get some
queries authenticated, but others (corresponding to the errors in my
logs) are not.  For example:

Jul 20 08:59:37 linux named[17472]:   validating @0xf48d01b0: 119.in-addr.arpa 
SOA: no valid signature found

and sure enough:

# dig +dnssec @localhost 119.in-addr.arpa SOA

; <<>> DiG 9.9.1-P1 <<>> +dnssec @localhost 119.in-addr.arpa SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49713
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 14

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;119.in-addr.arpa.  IN  SOA

;; ANSWER SECTION:
119.in-addr.arpa.   172800  IN  SOA ns1.apnic.net. 
read-txt-record-of-zone-first-dns-admin.apnic.net. 3006082431 7200 1800 604800 
172800
119.in-addr.arpa.   172800  IN  RRSIG   SOA 5 3 172800 20120819055026 
20120720045026 31291 119.in-addr.arpa. 
DxSB8J+SsHzLRv/qiFdQOLQ4eYEgCm6lUGr5/qoMje7iY9OIaaXmH/WM 
GwbTDdT7YNXfkZ7ZfpEnE5N9OeNW6Wghi8Wcerpy3OmEYMTWc1ZNgH70 
KC8Rhth23mCkv+IdCEsirVKdgTgLYsRlPFMbp6WQveMQRyJwvGJQm4QI Ejk=

;; AUTHORITY SECTION:
119.in-addr.arpa.   78212   IN  NS  ns1.apnic.net.
119.in-addr.arpa.   78212   IN  NS  sec1.authdns.ripe.net.
119.in-addr.arpa.   78212   IN  NS  ns2.lacnic.net.
119.in-addr.arpa.   78212   IN  NS  ns4.apnic.net.
119.in-addr.arpa.   78212   IN  NS  ns3.apnic.net.
119.in-addr.arpa.   78212   IN  NS  apnic1.dnsnode.net.
119.in-addr.arpa.   78212   IN  NS  tinnie.arin.net.

;; ADDITIONAL SECTION:
ns1.apnic.net.  167 IN  A   202.12.29.25
ns1.apnic.net.  164129  IN  2001:dc0:2001:0:4608::25
ns2.lacnic.net. 82967   IN  A   200.3.13.11
ns2.lacnic.net. 164257  IN  2001:13c7:7002:3000::11
ns3.apnic.net.  167 IN  A   202.12.28.131
ns3.apnic.net.  164129  IN  2001:dc0:1:0:4777::131
ns4.apnic.net.  167 IN  A   202.12.31.140
ns4.apnic.net.  164129  IN  2001:dc0:4001:1:0:1836:0:140
sec1.authdns.ripe.net.  167 IN  A   193.0.9.3
apnic1.dnsnode.net. 3767IN  A   194.146.106.106
tinnie.arin.net.35918   IN  A   199.212.0.53
tinnie.arin.net.35918   IN  2001:500:13::c7d4:35
sec1.authdns.ripe.net.  167 IN  RRSIG   A 5 4 3600 20120819100246 
20120720090246 16848 ripe.net. 
PnInozslOygv30AuohnYIzlCkeShxybKYeZ4114kpClfsMB/t3liXNmw 
in7Ha8Mh1mOZFtv2lvYDNlnrZgO65xXkUwsH2iz1jCMFU6ZjwGhqVhaX 
PpN6T6BXDHSohpFkVlx0yu9J7BcPMuCD6FJB5yLF4V0UUkJoPOXFAKBa mto=

;; Query time: 239 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jul 20 09:02:18 2012
;; MSG SIZE  rcvd: 892

no "ad" bit set.

But why?

Cheers,
b.



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named validating @0x...: ... SOA: no valid signature found

2012-07-20 Thread Brian J. Murrell
On 12-05-15 09:01 AM, Phil Mayers wrote:
> 

Sorry about the way delayed response.  There seems to be some confusion
about which list/group gmane is following.
 
> Isn't it more likely it's a local problem?

Indeed.  But what, is the question (and I do have the answer, now --
see below).

> Which version of bind are you running?

I was running 9.8.3 and now 9.9.1-P1

> Does *any* zone validate

Yes.

> e.g. try:
> 
> dig +dnssec @localhost www.ic.ac.uk

# dig +dnssec @localhost www.ic.ac.uk

; <<>> DiG 9.9.1-P1 <<>> +dnssec @localhost www.ic.ac.uk
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 725
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 13

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.ic.ac.uk.  IN  A

;; ANSWER SECTION:
www.ic.ac.uk.   3600IN  A   155.198.140.14
www.ic.ac.uk.   3600IN  RRSIG   A 5 4 3600 20120812165527 
20120713164639 4743 ic.ac.uk. 
UZDw0aM0xPFXAmb5/PReP8hSWR/eNmMA479JFoZyHmxRrepTaJWLya+R 
1F2Y2LI/T12QlFkw09KBsgZo+hGr2MWfPyMAjNttzDLCqGM7dDNBUnuz 
H4G7DUnTvpnIV3VcLHqIh2z+j5ZmBb4+O4MIbNbBh8reVIacM8jgGNPH Evs=

;; AUTHORITY SECTION:
ic.ac.uk.   86400   IN  NS  ns1.ic.ac.uk.
ic.ac.uk.   86400   IN  NS  authdns1.csx.cam.ac.uk.
ic.ac.uk.   86400   IN  NS  ns2.ic.ac.uk.
ic.ac.uk.   86400   IN  NS  ns0.ic.ac.uk.
ic.ac.uk.   86400   IN  RRSIG   NS 5 3 86400 20120806213024 
20120707210235 4743 ic.ac.uk. 
AYa7xE/1ZDMvt0c1wGY/+eu4vgbJm4EV+i+1YYZhtLu44bdnHndfptNZ 
ECxeOI8JVeaKUq1zPspK9UnTCLFDkfCq9cIVFjZhpHQSPHtd3Vss40Vl 
gKrOG6qm4RfmPbLaUDKxu/LsR/W+iRbbiwI2fsso34BTUJeKPZGwqHPG j9k=

;; ADDITIONAL SECTION:
ns0.ic.ac.uk.   86400   IN  A   155.198.142.80
ns0.ic.ac.uk.   86400   IN  2001:630:12:600:1::80
ns1.ic.ac.uk.   86400   IN  A   155.198.142.81
ns1.ic.ac.uk.   86400   IN  2001:630:12:600:1::81
ns2.ic.ac.uk.   86400   IN  A   155.198.142.82
authdns1.csx.cam.ac.uk. 86400   IN  A   131.111.12.37
authdns1.csx.cam.ac.uk. 86400   IN  2001:630:212:12::d:a1
ns0.ic.ac.uk.   86400   IN  RRSIG   A 5 4 86400 20120807164706 
20120708162343 4743 ic.ac.uk. 
SDz7qZbq+O/SMopAP4L1W9QeeuJu6+vBW25h4WIoDmFgXb+OPx3/M/6H 
6pBFUpO2XoBfurRHly0r2yy7C4x3X7vth8nT9Xo16ZL9nauYwbUIM3f3 
zDECyEzrkPf8EDcwRYycOJfcKcAlxG0FiPBav+WJW8PNMR43YAsr6w5D ZLU=
ns0.ic.ac.uk.   300 IN  RRSIG    5 4 300 20120809142748 
20120710132748 4743 ic.ac.uk. 
U+LTVkUNoTWXNTabEd/rt15qze4iLWhDFyw+inaYgToGxYA5y3JS+fnx 
qfe2+GUFSLOz/Xo6czEe7728vCLgXzLQckAyS3g56NUfHKyXO1WWa6lQ 
k1r9UoNOSj5vTu0YLQN1FgP4aSFjowZzeQtbX//aDXZEVHKjNz4UFwBA zPs=
ns1.ic.ac.uk.   86400   IN  RRSIG   A 5 4 86400 20120816015657 
20120717011404 4743 ic.ac.uk. 
dFRwdOkf670aLyyLtnLAYwo18XQGIFgT8YWQukrsj514pINSR5WUkcpd 
ReUOGLy9+RDEfpWwDsvdp1DLrxbUzElTF5Qkg/1d76qqB6WxmnQq6lqz 
r5zKgfh9GNZHKrAOzvLcxlUFhd2xm1NXjktjIhb6CLH+qrJRR9h9+Zxy MlQ=
ns1.ic.ac.uk.   300 IN  RRSIG    5 4 300 20120809142748 
20120710132748 4743 ic.ac.uk. 
OBSX8EyrqDcE6QzArCOaecx3Rf5fuBqfMctc/6M+3SnCHqQ9Dzp0YZly 
2f6OJXu2JCrR4lGEUfgnA8rXDCKLgkzVIWFZi4y0GVuY2VHXhBptT9ri 
P0xRDqytbK9FAmIQMjn0gVuRBA6FhHhalh59FrcimXT/DyEj3TjsW2iD IsQ=
ns2.ic.ac.uk.   86400   IN  RRSIG   A 5 4 86400 20120804065011 
20120705063843 4743 ic.ac.uk. 
IQ9KZAqCZLRpDwSpFpwor5ru7ltRfgBkFITKVs5ICz0fGrMQ9uWeWVY2 
CLNVmPeXtMseId7Y67+CM4q2Zu+zfBtSiLlDbbqD13FnSdmjqLCHF4PG 
7UVW1Z9uqjSHndKuuXeihNUSogyDZyoqf1b4SRcmRwOjgsM7HX0gWy87 jBs=

;; Query time: 451 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jul 20 07:24:59 2012
;; MSG SIZE  rcvd: 1466
 
> ...and you should see:
> 
> ; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18199
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 8, ADDITIONAL: 11
> 
> Note the "ad" flag - "authenticated data".

Yup, I did see that.

The problem here seems to be fragmented UDP.  I only ever receive the
first fragment.  Since I am tcpdumping on the external interface of my
router, I know it's not my router dropping it (which does have an
iptables policy installed, but tcpdump happens before iptables AFAIU;
that is you see *everything* with tcpdump, even on an interface where
iptables is set to drop traffic).  I can only assume it's my ISP or
something upstream.

I am able to receive fragmented ICMP however.  For example:

$ ping -M want -s 3000 74.125.226.17
PING 74.125.226.17 (74.125.226.17) 3000(3028) bytes of data.
3008 bytes from 74.125.226.17: icmp_req=1 ttl=58 time=29.1 ms
3008 bytes from 74.125.226.17: icmp_req=2 ttl=58 time=28.2 ms
3008 bytes from 74.125.226.17: icmp_req=3 ttl=58 time=28.6 ms
3008 bytes from 74.125.226.17: icmp_req=4 ttl=58 time=29.0 ms
3008 bytes from 74.125.226.17: icmp_req=5 ttl=58 time=29.9 ms
3008 bytes from 74.125.226.

RE: Problem with DNSSEC signing zone

2012-07-20 Thread Spain, Dr. Jeffry A.
> 1. Generated KSK and ZSK
> 2.Add both of keys at the end of my zone file
> 3.signing my zone with dnssec-signzone command
> 4.enable dnssec in named options
> 5.change the name of my zone in the named by namezone.signed
> 6.I got the root DNSKEY RR set before with dig command and redirect the 
> outpout in root-dnskey file
> 7.I turned the DNSKEY into DS RR set also, with dnssec-dsfromkey command.

Also consider simplifying the process as follows:
1.  Generate KSK and ZSK, setting timing metadata so that they are 
published and active. See dnssec-keygen and dnssec-settime.
2.  Place the key files in a key directory on your server.
3.  Add to your zone configuration: key directory ""; 
auto-dnssec maintain;
4.  Generate DS records and provide them to your registrar.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Problem with DNSSEC signing zone

2012-07-20 Thread Carsten Strotmann

Hello Thierry SAMEN,

On Fri, 20 Jul 2012, William Thierry SAMEN wrote:


Hi all Bind users,
i just have a problem with my zone signing output i made all the steps to 
obtain a good result.
 1.  Generated KSK and ZSK
 2. Add both of keys at the end of my zone file
 3. signing my zone with dnssec-signzone command
 4. enable dnssec in named options
 5. change the name of my zone in the named by namezone.signed
 6. I got the root DNSKEY RR set before with dig command and redirect the 
outpout in root-dnskey file
 7. I turned the DNSKEY into DS RR set also, with dnssec-dsfromkey command.



Did you send the DS RR to the operator of the parent zone, and did you 
wait for the DS record to appear in the parent zone?


To see an AD flag, you need to send the query towards a caching DNSSEC 
validating server that is _not_ the same server that is hosting the zone 
(see 
 
).


The chain of trust from the trust-anchor of the caching 
validating DNS server until the signatures in the zone must be complete, 
including the DS record for your zone which must be hosted in the parent 
zone (co.uk.).


Please also make sure that the serial number in the SOA record on the 
authoritative server is the same number that you see in the signed zone 
file. Do not forget to increment the SOA serial before or during the 
signing process ( dnssec-signzone -N INCREMENT ... ).


I cannot test your domain from here, it seems the domain is not delegated 
(I'm seeing an NXDOMAIN from co.uk.).


csmobile :: ~ » drill -k root.key -SD willzik.co.uk
;; Number of trusted keys: 1
;; Chasing: willzik.co.uk. A


DNSSEC Trust tree:
willzik.co.uk. (A)
|---Existence is denied by:
|---G9F1KIIHM8M9VHJK7LRVETBQCEOGJIQP.co.uk. (NSEC3)
|---Existence is denied by:
|---QLR2IB6LOCI8AIL6L2NH50RQV809BNEG.co.uk. (NSEC3)
|---Existence is denied by:
|---22SDTUJH764RHEGKI5GU51QAU3T7947V.co.uk. (NSEC3)
No trusted keys found in tree: first error was: No DNSSEC public key(s)
;; Chase failed.

(the negative answer here is not DNSSEC validated, but that is another 
issue).


Best regards

Carsten Strotmann
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Problem with DNSSEC signing zone

2012-07-20 Thread William Thierry SAMEN
Hi all Bind users,
i just have a problem with my zone signing output i made all the steps to
obtain a good result.

   1.  Generated KSK and ZSK
   2. Add both of keys at the end of my zone file
   3. signing my zone with dnssec-signzone command
   4. enable dnssec in named options
   5. change the name of my zone in the named by namezone.signed
   6. I got the root DNSKEY RR set before with dig command and redirect the
   outpout in root-dnskey file
   7. I turned the DNSKEY into DS RR set also, with dnssec-dsfromkey
   command.

all this steps have been done well but, when i made a dig for testing the
result, i can't seen my section answer with RRSIG or ad flag

someone know what can i made to solve this problem please.

my zone name is *willzik.co.uk* and when i tested my Bind with a sign
domain like *ripe.net*, the result is good.

*dig +dnssec ripe.net gave *me a good answer

dig +dnssec willzik.co.uk return a solution without RRSIG records or ad flag

Thanks for your help

-- 
Cordialement.
Thierry *SAMEN.*
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users