Re: DNSSEC and NSEC missing ZSK?
> On 08 Feb 2021, at 07:24, Matthijs Mekking wrote: > > Hi, > > On 08-02-2021 12:20, @lbutlr wrote: >> I feel I am getting close. I got the digest generated for hover.com and >> updated the DNS on the test zone, but I am getting errors on verify that I >> don't understand. >> #v+ >> # dnssec-verify -I text -o example.com /etc/namedb/working/example.com.signed >> Loading zone 'example.com' from file '/etc/namedb/working/example.com.signed' >> Verifying the zone using the following algorithms: >> - ECDSAP256SHA256 >> Missing ZSK for algorithm ECDSAP256SHA256 >> Missing NSEC record for blog.example.com >> Missing NSEC record for wiki.example.com >> Missing NSEC record for foobar.example.com >> Missing NSEC record for barfoo.example.com >> The zone is not fully signed for the following algorithms: >> vECDSAP256SHA256 >> . >> DNSSEC completeness test failed.NSSEC completeness test failed. >> #v- >> The missing ZSK is throwing me, and I don't know what to add to my zone >> record for NSEC. I am following along (trying) with >> https://bind9.readthedocs.io/en/latest/dnssec-guide.html which makes no >> mention of this, but shows NSEC showing up in the output of the signed file. > > Use dnssec-verify -z to indicate that the ZSK may be the same key as the KSK. Thanks, so that is sorted. > The missing NSEC records are more worrisome. Oddly, some of the NSEC entries are in the signed zone file (well, I assume that is what this means): NSECblog.example.com. A NS SOA MX TXT RRSIG NSEC DNSKEY CDS CDNSKEY TYPE65534 RRSIG NSEC 13 2 3600 NSECwiki.example.com. CNAME RRSIG NSEC RRSIG NSEC 13 3 3600 ( )all the subdomains are CNAME And some other occurrences of NSEC, but not the home and foobar or barfoo. >> #v- >> Is there a way to force rndc/bind to recreate the .signed file? If I move it >> aside and restart named or rndc reload or rndc reconfig, the signed zone >> file is not recreated. > > > rndc sign zone That recreates the .signed.jnl and not the .signed file. No errors are reported. -- How you have felt, o men of Athens, at hearing the speeches of my accusers, I cannot tell; but I know that their persuasive words almost made me forget who I was, such was the effect of the,; and yet they have hardly spoken a word of truth. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and NSEC missing ZSK?
Hi, On 08-02-2021 12:20, @lbutlr wrote: I feel I am getting close. I got the digest generated for hover.com and updated the DNS on the test zone, but I am getting errors on verify that I don't understand. #v+ # dnssec-verify -I text -o example.com /etc/namedb/working/example.com.signed Loading zone 'example.com' from file '/etc/namedb/working/example.com.signed' Verifying the zone using the following algorithms: - ECDSAP256SHA256 Missing ZSK for algorithm ECDSAP256SHA256 Missing NSEC record for blog.example.com Missing NSEC record for wiki.example.com Missing NSEC record for foobar.example.com Missing NSEC record for barfoo.example.com The zone is not fully signed for the following algorithms: vECDSAP256SHA256 . DNSSEC completeness test failed.NSSEC completeness test failed. #v- The missing ZSK is throwing me, and I don't know what to add to my zone record for NSEC. I am following along (trying) with https://bind9.readthedocs.io/en/latest/dnssec-guide.html which makes no mention of this, but shows NSEC showing up in the output of the signed file. Use dnssec-verify -z to indicate that the ZSK may be the same key as the KSK. The missing NSEC records are more worrisome. The only thing I can find that seems relevant (though it is for bind 9.7.3) is part of the key generation, but I did not generate the keys manually, bind did that with dnssec-policy default; #v+ ; This is the state of key 18434, for example.com. Algorithm: 13 Length: 256 Lifetime: 0 KSK: yes ZSK: yes Generated: 20210202180145 (Tue Feb 2 11:01:45 2021) Published: 20210202180145 (Tue Feb 2 11:01:45 2021) Active: 20210202180145 (Tue Feb 2 11:01:45 2021) PublishCDS: 20210203190645 (Wed Feb 3 12:06:45 2021) DNSKEYChange: 20210202200645 (Tue Feb 2 13:06:45 2021) ZRRSIGChange: 20210203190645 (Wed Feb 3 12:06:45 2021) KRRSIGChange: 20210202200645 (Tue Feb 2 13:06:45 2021) DSChange: 20210203190645 (Wed Feb 3 12:06:45 2021) DNSKEYState: omnipresent ZRRSIGState: omnipresent KRRSIGState: omnipresent DSState: rumoured GoalState: omnipresent #v- So the state file says the ZSK is yes, but dnssec-verify says no. I ran delv test and it looks as I expect based on he guide linked above. #v+ # delv @127.0.0.1 -a /tmp/Kexample.com.+013+18434.key +root=example.com example.com SOA +multiline ; fully validated example.com. 3600 IN SOA ns1.example.net. admin.example.net. ( 2018022422 ; serial 300; refresh (5 minutes) 300; retry (5 minutes) 18000 ; expire (5 hours) 3600 ; minimum (1 hour) ) example.com. 3600 IN RRSIG SOA 13 2 3600 ( 20210221095138 20210207085138 18434 example.com. Qps8u4m6…= #v- Is there a way to force rndc/bind to recreate the .signed file? If I move it aside and restart named or rndc reload or rndc reconfig, the signed zone file is not recreated. rndc sign zone - Matthijs ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC and NSEC missing ZSK?
I feel I am getting close. I got the digest generated for hover.com and updated the DNS on the test zone, but I am getting errors on verify that I don't understand. #v+ # dnssec-verify -I text -o example.com /etc/namedb/working/example.com.signed Loading zone 'example.com' from file '/etc/namedb/working/example.com.signed' Verifying the zone using the following algorithms: - ECDSAP256SHA256 Missing ZSK for algorithm ECDSAP256SHA256 Missing NSEC record for blog.example.com Missing NSEC record for wiki.example.com Missing NSEC record for foobar.example.com Missing NSEC record for barfoo.example.com The zone is not fully signed for the following algorithms: vECDSAP256SHA256 . DNSSEC completeness test failed.NSSEC completeness test failed. #v- The missing ZSK is throwing me, and I don't know what to add to my zone record for NSEC. I am following along (trying) with https://bind9.readthedocs.io/en/latest/dnssec-guide.html which makes no mention of this, but shows NSEC showing up in the output of the signed file. The only thing I can find that seems relevant (though it is for bind 9.7.3) is part of the key generation, but I did not generate the keys manually, bind did that with dnssec-policy default; #v+ ; This is the state of key 18434, for example.com. Algorithm: 13 Length: 256 Lifetime: 0 KSK: yes ZSK: yes Generated: 20210202180145 (Tue Feb 2 11:01:45 2021) Published: 20210202180145 (Tue Feb 2 11:01:45 2021) Active: 20210202180145 (Tue Feb 2 11:01:45 2021) PublishCDS: 20210203190645 (Wed Feb 3 12:06:45 2021) DNSKEYChange: 20210202200645 (Tue Feb 2 13:06:45 2021) ZRRSIGChange: 20210203190645 (Wed Feb 3 12:06:45 2021) KRRSIGChange: 20210202200645 (Tue Feb 2 13:06:45 2021) DSChange: 20210203190645 (Wed Feb 3 12:06:45 2021) DNSKEYState: omnipresent ZRRSIGState: omnipresent KRRSIGState: omnipresent DSState: rumoured GoalState: omnipresent #v- So the state file says the ZSK is yes, but dnssec-verify says no. I ran delv test and it looks as I expect based on he guide linked above. #v+ # delv @127.0.0.1 -a /tmp/Kexample.com.+013+18434.key +root=example.com example.com SOA +multiline ; fully validated example.com. 3600 IN SOA ns1.example.net. admin.example.net. ( 2018022422 ; serial 300; refresh (5 minutes) 300; retry (5 minutes) 18000 ; expire (5 hours) 3600 ; minimum (1 hour) ) example.com. 3600 IN RRSIG SOA 13 2 3600 ( 20210221095138 20210207085138 18434 example.com. Qps8u4m6…= #v- Is there a way to force rndc/bind to recreate the .signed file? If I move it aside and restart named or rndc reload or rndc reconfig, the signed zone file is not recreated. -- 'I don't see why everyone depends on me. I'm not dependable. Even I don't depend on me, and I'm me.' ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSKEY failure
Hi, On 05-02-2021 10:23, @lbutlr wrote: So, with my test domain that is using dsnssec-policy default dnsviz reports "DNSKEY: No response was received from the server over UDP" But: dig +norec +dnssec +bufsize=512 +ignore dnskey Shows a DNSKEY record. It would be useful to also provide the dig output, and what domain it is about. Compare the output with the response you get when you dig your name servers. Best regards, Matthijs (There is no DNSKEY record shown on the domains still using auto-dnssec maintain; with alg-7 keys, but I think that is expected). Is this a propagation issue, or is there something I need to do for "192.112.36.4, UDP_-_EDNS0_512_D_KN" to see the DNSKEY record? example.com. 3600IN RRSIG DNSKEY 13 2 3600 20210217190645 20210203180645 18434 example.com. {blah blah blah} ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users