Re: DANE record rejected by named-checkzone
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/04/2014 11:54 PM, Mark Andrews wrote: > In message <545954b0.8080...@offerman.com>, "Adrian (Aad) Offerman" > writes: > > named keeps refusing my zone file in which I included a DANE > record: > > [root]# named-checkzone offerman.com db.offerman.com > db.offerman.com:59: _443._tcp.offerman.com: bad owner name > (check-names) db.offerman.com:60: _443._tcp.offerman.com: bad owner > name (check-names) zone offerman.com/IN: loaded serial 2014110103 > OK [root]# > > This appears to be caused by the underscores used in the > port/protocol combination. > > Here's what the record looks like: > > _443._tcp IN TLSA3 0 1 > a66939453856cd6b0f78427eb38d3a9921cfb8bab928d24017a172647e323ce > >> Well that isn't a valid TLSA record. It has a bad hex encoding. >> There are 63 hex digits. Just an error in the cutting/pasting, in the mail message that is. >> TLSA records themselves are not subject to check-names >> processing so I suggest that you look at the reported lines in >> the file to find out what is actually there. > >> In the example below it is the A record which has inherited the >> _443._tcp owner name. Ah, that did the job! :-) Inserting a block of TLSA records at the wrong place screwed up the inheritance for the next record. Thanks! Adrian >> Mark > >> [rock:~/git/bind9] marka% bin/check/named-checkzone c.db >> c.db c.db:1: no TTL specified; using SOA MINTTL instead >> dns_rdata_fromtext: c.db:3: near eol: bad hex encoding >> c.db:4: _443._tcp.c.db: bad owner name (check-names) zone >> c.db/IN: loading from master file c.db failed: bad hex >> encoding zone c.db/IN: not loaded due to errors. >> [rock:~/git/bind9] marka% > >> @IN SOA . . 0 0 0 0 0 @ IN NS . _443._tcp IN TLSA 3 0 1 >> a66939453856cd6b0f78427eb38d3a9921cfb8bab928d24017a172647e323ce >> IN A 1.2.3.4 > > > It was created first using this: tlsa --create --output rfc > offerman.com later using this: ldns-dane create offerman.com 443 > both resulting in the same record, and both outputs resulting in > the same error. > > I've upgraded the named version (on CentOS 6.6) from 9.8.2 to > 9.9.6, but all to no avail :-( > > [root]# named-checkzone -v 9.9.6-RedHat-9.9.6-0.el6 > > Am I trying to do something here that is not yet supported or am I > overlooking something? -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJUe0v1AAoJECfzYtonqXzEKHgIAJyjwFIgXbZ1eO01eR8JO4Au s51DVqywT7/0nVfF55Zi6N8mOi9GygYJjSEFJ4lL6g2BI2TaNVzeAQqGp9oJ8UUf GzJOjLkb7UyPy5OXYjkIj4a2f7t8Eyk7kRXYhfDaPccox87R8NkIWkCftSrfgBEq LwwTlHrtf2QUi5QxzhsNP/ljuC5mF0EW2ipa3kEggTgHwQ3Sg9pSvxWwP8LVFRn4 RW1ng/9iALxrgQLS7qjEc29vTfj0emRskQEXOgS/Ipt0U9b2Ep5l8uHsULH0jNwP BJ5+QPJFETlHd6hqKNjpAsVBrZJ+fY4QgIC8Ig8nkWY4gBLtZ55qkb6zIbOFL4Y= =YVKh -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DANE record rejected by named-checkzone
In message <545954b0.8080...@offerman.com>, "Adrian (Aad) Offerman" writes: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > named keeps refusing my zone file in which I included a DANE record: > > [root]# named-checkzone offerman.com db.offerman.com > db.offerman.com:59: _443._tcp.offerman.com: bad owner name (check-names) > db.offerman.com:60: _443._tcp.offerman.com: bad owner name (check-names) > zone offerman.com/IN: loaded serial 2014110103 > OK > [root]# > > This appears to be caused by the underscores used in the port/protocol > combination. > > Here's what the record looks like: > > _443._tcp IN TLSA3 0 1 > a66939453856cd6b0f78427eb38d3a9921cfb8bab928d24017a172647e323ce Well that isn't a valid TLSA record. It has a bad hex encoding. There are 63 hex digits. TLSA records themselves are not subject to check-names processing so I suggest that you look at the reported lines in the file to find out what is actually there. In the example below it is the A record which has inherited the _443._tcp owner name. Mark [rock:~/git/bind9] marka% bin/check/named-checkzone c.db c.db c.db:1: no TTL specified; using SOA MINTTL instead dns_rdata_fromtext: c.db:3: near eol: bad hex encoding c.db:4: _443._tcp.c.db: bad owner name (check-names) zone c.db/IN: loading from master file c.db failed: bad hex encoding zone c.db/IN: not loaded due to errors. [rock:~/git/bind9] marka% @ IN SOA . . 0 0 0 0 0 @ IN NS . _443._tcp IN TLSA 3 0 1 a66939453856cd6b0f78427eb38d3a9921cfb8bab928d24017a172647e323ce IN A 1.2.3.4 > It was created first using this: > tlsa --create --output rfc offerman.com > later using this: > ldns-dane create offerman.com 443 > both resulting in the same record, and both outputs resulting in the > same error. > > I've upgraded the named version (on CentOS 6.6) from 9.8.2 to 9.9.6, > but all to no avail :-( > > [root]# named-checkzone -v > 9.9.6-RedHat-9.9.6-0.el6 > > Am I trying to do something here that is not yet supported or am I > overlooking something? > -BEGIN PGP SIGNATURE- > Version: GnuPG v1 > > iQEcBAEBAgAGBQJUWVSwAAoJECfzYtonqXzEdIsIAIiHdjp726NW57jF6lxF7cFc > oFNFx8uClGHveq6nWjzG9DhplEkFjl8UYMJyfKx3MUlgnKGerREI13WyEwmOrIvk > TigcjVEwb3AnbX7RGtzeyqsSAJesx8JdYgLxpSTltfeNpYwjJ4Irl1YQKw3e6hHY > y8Lcd9gOYYj+weyZv8BoaEIugit/fuxiLOyJ7mqhyHmrDlny1FLbHMOAJzU8WBxx > aa3IUT91RYP5037d4k3Klk+XbieFoiAGSnvHiaqfg8SuXiosiEKAZOfxymb04sqd > a4rDiLv6RkLGR8UIWuNfiXNTyGvcZZeW9micMIHVXk/EeEJ1Y7W6vdbwBDJ8M2s= > =CVi6 > -END PGP SIGNATURE- > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DANE record rejected by named-checkzone
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 named keeps refusing my zone file in which I included a DANE record: [root]# named-checkzone offerman.com db.offerman.com db.offerman.com:59: _443._tcp.offerman.com: bad owner name (check-names) db.offerman.com:60: _443._tcp.offerman.com: bad owner name (check-names) zone offerman.com/IN: loaded serial 2014110103 OK [root]# This appears to be caused by the underscores used in the port/protocol combination. Here's what the record looks like: _443._tcp IN TLSA3 0 1 a66939453856cd6b0f78427eb38d3a9921cfb8bab928d24017a172647e323ce It was created first using this: tlsa --create --output rfc offerman.com later using this: ldns-dane create offerman.com 443 both resulting in the same record, and both outputs resulting in the same error. I've upgraded the named version (on CentOS 6.6) from 9.8.2 to 9.9.6, but all to no avail :-( [root]# named-checkzone -v 9.9.6-RedHat-9.9.6-0.el6 Am I trying to do something here that is not yet supported or am I overlooking something? -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJUWVSwAAoJECfzYtonqXzEdIsIAIiHdjp726NW57jF6lxF7cFc oFNFx8uClGHveq6nWjzG9DhplEkFjl8UYMJyfKx3MUlgnKGerREI13WyEwmOrIvk TigcjVEwb3AnbX7RGtzeyqsSAJesx8JdYgLxpSTltfeNpYwjJ4Irl1YQKw3e6hHY y8Lcd9gOYYj+weyZv8BoaEIugit/fuxiLOyJ7mqhyHmrDlny1FLbHMOAJzU8WBxx aa3IUT91RYP5037d4k3Klk+XbieFoiAGSnvHiaqfg8SuXiosiEKAZOfxymb04sqd a4rDiLv6RkLGR8UIWuNfiXNTyGvcZZeW9micMIHVXk/EeEJ1Y7W6vdbwBDJ8M2s= =CVi6 -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
