Re: DNSSEC and NSEC missing ZSK?
On 09 Feb 2021, at 16:19, Mal via bind-users wrote: > On 09/02/2021 10:47 pm, @ wrote: >> Well, I have finally ogttenteh test zone to the point where dnssec-verify is >> happy and everything that I can check also seems happy except dnsviz which >> is very very VERY angry and basically says the zone is entirely garabge. I >> am hoping this is a propagation issue, but I kind of doubt it since it >> should be quarrying the authoritative DNS for the DNSKEY and RRSIG and such, >> I'd think. > The easiest way to get help is to post your named.conf and zone file. Not doing that for domains that are not actually owned by me, which includes the domain I was using to test this setup. > DNSVIZ displays your current state very well. If its showing you > errors, then it requires you to act. Seems not to be the case as after 10 hours or so, dnsviz has stopped complaining. -- Heisenberg's only uncertainty was what pub to vomit in next and Jung fancied Freud's mother too. -- Jared Earle ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and NSEC missing ZSK?
On 09/02/2021 10:47 pm, @ wrote: > Well, I have finally ogttenteh test zone to the point where dnssec-verify is > happy and everything that I can check also seems happy except dnsviz which is > very very VERY angry and basically says the zone is entirely garabge. I am > hoping this is a propagation issue, but I kind of doubt it since it should be > quarrying the authoritative DNS for the DNSKEY and RRSIG and such, I'd think. The easiest way to get help is to post your named.conf and zone file. Obfuscating the configuration works against you, especially when you have a limited understanding of DNSSEC. DNSVIZ displays your current state very well. If its showing you errors, then it requires you to act. The query IPs DNSVIZ typically uses are: 64.191.0.132 64.191.0.138 2620:ff:c000::132 2620:ff:c000::138 So you can easily reconcile the DNSVIZ query, in real time, that produced your data set. The DS record propagation, at the registry level, should never take days (no more than 15-30 minutes is my experience). You need to make sure you have configured (or instructed the registry, per manual intervention) the correct Algorithm (13) and the digest type (SHA256) when you provide your Hash. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and NSEC missing ZSK?
On 08 Feb 2021, at 11:10, @lbutlr wrote: > That recreates the .signed.jnl and not the .signed file. No errors are > reported. Well, I have finally ogttenteh test zone to the point where dnssec-verify is happy and everything that I can check also seems happy except dnsviz which is very very VERY angry and basically says the zone is entirely garabge. I am hoping this is a propagation issue, but I kind of doubt it since it should be quarrying the authoritative DNS for the DNSKEY and RRSIG and such, I'd think. I'll give it a couple of days and see where I am there before I try to move any domains that are actually used. Thanks everyone for prods and hints along this path. -- When and where does this "real world" occur?! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and NSEC missing ZSK?
> On 08 Feb 2021, at 07:24, Matthijs Mekking wrote: > > Hi, > > On 08-02-2021 12:20, @lbutlr wrote: >> I feel I am getting close. I got the digest generated for hover.com and >> updated the DNS on the test zone, but I am getting errors on verify that I >> don't understand. >> #v+ >> # dnssec-verify -I text -o example.com /etc/namedb/working/example.com.signed >> Loading zone 'example.com' from file '/etc/namedb/working/example.com.signed' >> Verifying the zone using the following algorithms: >> - ECDSAP256SHA256 >> Missing ZSK for algorithm ECDSAP256SHA256 >> Missing NSEC record for blog.example.com >> Missing NSEC record for wiki.example.com >> Missing NSEC record for foobar.example.com >> Missing NSEC record for barfoo.example.com >> The zone is not fully signed for the following algorithms: >> vECDSAP256SHA256 >> . >> DNSSEC completeness test failed.NSSEC completeness test failed. >> #v- >> The missing ZSK is throwing me, and I don't know what to add to my zone >> record for NSEC. I am following along (trying) with >> https://bind9.readthedocs.io/en/latest/dnssec-guide.html which makes no >> mention of this, but shows NSEC showing up in the output of the signed file. > > Use dnssec-verify -z to indicate that the ZSK may be the same key as the KSK. Thanks, so that is sorted. > The missing NSEC records are more worrisome. Oddly, some of the NSEC entries are in the signed zone file (well, I assume that is what this means): NSECblog.example.com. A NS SOA MX TXT RRSIG NSEC DNSKEY CDS CDNSKEY TYPE65534 RRSIG NSEC 13 2 3600 NSECwiki.example.com. CNAME RRSIG NSEC RRSIG NSEC 13 3 3600 ( )all the subdomains are CNAME And some other occurrences of NSEC, but not the home and foobar or barfoo. >> #v- >> Is there a way to force rndc/bind to recreate the .signed file? If I move it >> aside and restart named or rndc reload or rndc reconfig, the signed zone >> file is not recreated. > > > rndc sign zone That recreates the .signed.jnl and not the .signed file. No errors are reported. -- How you have felt, o men of Athens, at hearing the speeches of my accusers, I cannot tell; but I know that their persuasive words almost made me forget who I was, such was the effect of the,; and yet they have hardly spoken a word of truth. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and NSEC missing ZSK?
Hi, On 08-02-2021 12:20, @lbutlr wrote: I feel I am getting close. I got the digest generated for hover.com and updated the DNS on the test zone, but I am getting errors on verify that I don't understand. #v+ # dnssec-verify -I text -o example.com /etc/namedb/working/example.com.signed Loading zone 'example.com' from file '/etc/namedb/working/example.com.signed' Verifying the zone using the following algorithms: - ECDSAP256SHA256 Missing ZSK for algorithm ECDSAP256SHA256 Missing NSEC record for blog.example.com Missing NSEC record for wiki.example.com Missing NSEC record for foobar.example.com Missing NSEC record for barfoo.example.com The zone is not fully signed for the following algorithms: vECDSAP256SHA256 . DNSSEC completeness test failed.NSSEC completeness test failed. #v- The missing ZSK is throwing me, and I don't know what to add to my zone record for NSEC. I am following along (trying) with https://bind9.readthedocs.io/en/latest/dnssec-guide.html which makes no mention of this, but shows NSEC showing up in the output of the signed file. Use dnssec-verify -z to indicate that the ZSK may be the same key as the KSK. The missing NSEC records are more worrisome. The only thing I can find that seems relevant (though it is for bind 9.7.3) is part of the key generation, but I did not generate the keys manually, bind did that with dnssec-policy default; #v+ ; This is the state of key 18434, for example.com. Algorithm: 13 Length: 256 Lifetime: 0 KSK: yes ZSK: yes Generated: 20210202180145 (Tue Feb 2 11:01:45 2021) Published: 20210202180145 (Tue Feb 2 11:01:45 2021) Active: 20210202180145 (Tue Feb 2 11:01:45 2021) PublishCDS: 20210203190645 (Wed Feb 3 12:06:45 2021) DNSKEYChange: 20210202200645 (Tue Feb 2 13:06:45 2021) ZRRSIGChange: 20210203190645 (Wed Feb 3 12:06:45 2021) KRRSIGChange: 20210202200645 (Tue Feb 2 13:06:45 2021) DSChange: 20210203190645 (Wed Feb 3 12:06:45 2021) DNSKEYState: omnipresent ZRRSIGState: omnipresent KRRSIGState: omnipresent DSState: rumoured GoalState: omnipresent #v- So the state file says the ZSK is yes, but dnssec-verify says no. I ran delv test and it looks as I expect based on he guide linked above. #v+ # delv @127.0.0.1 -a /tmp/Kexample.com.+013+18434.key +root=example.com example.com SOA +multiline ; fully validated example.com. 3600 IN SOA ns1.example.net. admin.example.net. ( 2018022422 ; serial 300; refresh (5 minutes) 300; retry (5 minutes) 18000 ; expire (5 hours) 3600 ; minimum (1 hour) ) example.com. 3600 IN RRSIG SOA 13 2 3600 ( 20210221095138 20210207085138 18434 example.com. Qps8u4m6…= #v- Is there a way to force rndc/bind to recreate the .signed file? If I move it aside and restart named or rndc reload or rndc reconfig, the signed zone file is not recreated. rndc sign zone - Matthijs ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC and NSEC missing ZSK?
I feel I am getting close. I got the digest generated for hover.com and updated the DNS on the test zone, but I am getting errors on verify that I don't understand. #v+ # dnssec-verify -I text -o example.com /etc/namedb/working/example.com.signed Loading zone 'example.com' from file '/etc/namedb/working/example.com.signed' Verifying the zone using the following algorithms: - ECDSAP256SHA256 Missing ZSK for algorithm ECDSAP256SHA256 Missing NSEC record for blog.example.com Missing NSEC record for wiki.example.com Missing NSEC record for foobar.example.com Missing NSEC record for barfoo.example.com The zone is not fully signed for the following algorithms: vECDSAP256SHA256 . DNSSEC completeness test failed.NSSEC completeness test failed. #v- The missing ZSK is throwing me, and I don't know what to add to my zone record for NSEC. I am following along (trying) with https://bind9.readthedocs.io/en/latest/dnssec-guide.html which makes no mention of this, but shows NSEC showing up in the output of the signed file. The only thing I can find that seems relevant (though it is for bind 9.7.3) is part of the key generation, but I did not generate the keys manually, bind did that with dnssec-policy default; #v+ ; This is the state of key 18434, for example.com. Algorithm: 13 Length: 256 Lifetime: 0 KSK: yes ZSK: yes Generated: 20210202180145 (Tue Feb 2 11:01:45 2021) Published: 20210202180145 (Tue Feb 2 11:01:45 2021) Active: 20210202180145 (Tue Feb 2 11:01:45 2021) PublishCDS: 20210203190645 (Wed Feb 3 12:06:45 2021) DNSKEYChange: 20210202200645 (Tue Feb 2 13:06:45 2021) ZRRSIGChange: 20210203190645 (Wed Feb 3 12:06:45 2021) KRRSIGChange: 20210202200645 (Tue Feb 2 13:06:45 2021) DSChange: 20210203190645 (Wed Feb 3 12:06:45 2021) DNSKEYState: omnipresent ZRRSIGState: omnipresent KRRSIGState: omnipresent DSState: rumoured GoalState: omnipresent #v- So the state file says the ZSK is yes, but dnssec-verify says no. I ran delv test and it looks as I expect based on he guide linked above. #v+ # delv @127.0.0.1 -a /tmp/Kexample.com.+013+18434.key +root=example.com example.com SOA +multiline ; fully validated example.com. 3600 IN SOA ns1.example.net. admin.example.net. ( 2018022422 ; serial 300; refresh (5 minutes) 300; retry (5 minutes) 18000 ; expire (5 hours) 3600 ; minimum (1 hour) ) example.com. 3600 IN RRSIG SOA 13 2 3600 ( 20210221095138 20210207085138 18434 example.com. Qps8u4m6…= #v- Is there a way to force rndc/bind to recreate the .signed file? If I move it aside and restart named or rndc reload or rndc reconfig, the signed zone file is not recreated. -- 'I don't see why everyone depends on me. I'm not dependable. Even I don't depend on me, and I'm me.' ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users