Re: Unable to get authenticated negative responses from BIND 9.6.0 w/ NSEC3?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Mark, Anyone done this recently who can give me a suggestion to where I may go wrong? NXDOMAIN + OPTOUT - AD=0 Doh! I reversed the logic for OPTOUT in my apparently confused head. Many thanks for the quick correction. Everything works just as expected. Johan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iD8DBQFJbG6jKJmr+nqSTbYRAiEjAJkBVg5vfoPLjjKa+O2N5I1fJnyoeACeP0yA ig4M1FlGnf1bXP51SCP2oYw= =PFp0 -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to get authenticated negative responses from BIND 9.6.0 w/ NSEC3?
In message a0e00a9b-89cc-4b94-a3a5-49fd22fe3...@johani.org, Johan Ihren writes: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I realise this just has to be a user error, but sofar I've been completely unsuccessful in getting an authenticated response from a 9.6.0 recursive server with trusted keys correctly configured. I've done this: * Signed the zones: parent is signed with NSEC semantics, key algorithm is RSASHA1 child1.parent is signed with NSEC, key algorithm is RSASHA1 child2.parent is signed with NSEC3, key algorithm is NSEC3RSASHA1 Did you tell dnssec-signzone to generate NSEC3 chains rather than NSEC chains. NSEC3RSASHA1 allows for both NSEC and NSEC3 chains and dnssec-signzone defaults to NSEC chains. dnssec-signzone -3 salt [-H iterations] [-A] * Created the secure delegations: the DS records for child1.parent and child2.parent both use the correct algorithm numbers (5 and 7 respectively) * Configured a trusted key for parent in a recursive server: The trusted key is correctly configured, because I'm able to validate positive responses from all three zones (which also proves that the delegations are correctly secured via the DS records). I'm also able to validate negative responses from parent and child1.parent. And, yes, I have dnssec-enable yes; dnssec-validation yes; in relevant places. But I fail to validate the interesting case, i.e. a negative response from child2.parent containing NSEC3 records as the proof. I get the response, with all the NSEC3s and their RRSIGs. But no AD bit. Anyone done this recently who can give me a suggestion to where I may go wrong? Johan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iD8DBQFJZy3KKJmr+nqSTbYRAgR9AKCioFf7n+IZmKfH0qenvlZnnh6FpQCeLl0e w3pw5x1lyPwkJnM3iRGjiP4= =tnBX -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to get authenticated negative responses from BIND 9.6.0 w/ NSEC3?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Mark, On 12 Jan 2009, at 23:49, Mark Andrews wrote: I realise this just has to be a user error, but sofar I've been completely unsuccessful in getting an authenticated response from a 9.6.0 recursive server with trusted keys correctly configured. I've done this: * Signed the zones: parent is signed with NSEC semantics, key algorithm is RSASHA1 child1.parent is signed with NSEC, key algorithm is RSASHA1 child2.parent is signed with NSEC3, key algorithm is NSEC3RSASHA1 Did you tell dnssec-signzone to generate NSEC3 chains rather than NSEC chains. NSEC3RSASHA1 allows for both NSEC and NSEC3 chains and dnssec-signzone defaults to NSEC chains. dnssec-signzone -3 salt [-H iterations] [-A] Absolutely, and the signed zone looks fine (except that it is full of ugly NSEC3's ;-). This is my dnssec-signzone invocation: dnssec-signzone -N increment -v 9 -a -A -H 1 -3 -o $ZONE $ZONE $ZSK $KSK * Created the secure delegations: the DS records for child1.parent and child2.parent both use the correct algorithm numbers (5 and 7 respectively) * Configured a trusted key for parent in a recursive server: The trusted key is correctly configured, because I'm able to validate positive responses from all three zones (which also proves that the delegations are correctly secured via the DS records). I'm also able to validate negative responses from parent and child1.parent. And, yes, I have dnssec-enable yes; dnssec-validation yes; in relevant places. But I fail to validate the interesting case, i.e. a negative response from child2.parent containing NSEC3 records as the proof. I get the response, with all the NSEC3s and their RRSIGs. But no AD bit. Anyone done this recently who can give me a suggestion to where I may go wrong? Johan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iD8DBQFJa9hRKJmr+nqSTbYRAuDKAJ4upG/n5lww2yrST29HDzteQX369QCfUqxt WcZi55ArpM58re2gtd6reAI= =+sNo -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to get authenticated negative responses from BIND 9.6.0 w/ NSEC3?
In message 088512ac-625e-4a72-aa90-65c73fb8b...@johani.org, Johan Ihren writes: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Mark, On 12 Jan 2009, at 23:49, Mark Andrews wrote: I realise this just has to be a user error, but sofar I've been completely unsuccessful in getting an authenticated response from a 9.6.0 recursive server with trusted keys correctly configured. I've done this: * Signed the zones: parent is signed with NSEC semantics, key algorithm is RSASHA1 child1.parent is signed with NSEC, key algorithm is RSASHA1 child2.parent is signed with NSEC3, key algorithm is NSEC3RSASHA1 Did you tell dnssec-signzone to generate NSEC3 chains rather than NSEC chains. NSEC3RSASHA1 allows for both NSEC and NSEC3 chains and dnssec-signzone defaults to NSEC chains. dnssec-signzone -3 salt [-H iterations] [-A] Absolutely, and the signed zone looks fine (except that it is full of ugly NSEC3's ;-). This is my dnssec-signzone invocation: dnssec-signzone -N increment -v 9 -a -A -H 1 -3 -o $ZONE $ZONE $ZSK $KSK * Created the secure delegations: the DS records for child1.parent and child2.parent both use the correct algorithm numbers (5 and 7 respectively) * Configured a trusted key for parent in a recursive server: The trusted key is correctly configured, because I'm able to validate positive responses from all three zones (which also proves that the delegations are correctly secured via the DS records). I'm also able to validate negative responses from parent and child1.parent. And, yes, I have dnssec-enable yes; dnssec-validation yes; in relevant places. But I fail to validate the interesting case, i.e. a negative response from child2.parent containing NSEC3 records as the proof. I get the response, with all the NSEC3s and their RRSIGs. But no AD bit. Anyone done this recently who can give me a suggestion to where I may go wrong? NXDOMAIN + OPTOUT - AD=0 Johan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iD8DBQFJa9hRKJmr+nqSTbYRAuDKAJ4upG/n5lww2yrST29HDzteQX369QCfUqxt WcZi55ArpM58re2gtd6reAI= =+sNo -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Unable to get authenticated negative responses from BIND 9.6.0 w/ NSEC3?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I realise this just has to be a user error, but sofar I've been completely unsuccessful in getting an authenticated response from a 9.6.0 recursive server with trusted keys correctly configured. I've done this: * Signed the zones: parent is signed with NSEC semantics, key algorithm is RSASHA1 child1.parent is signed with NSEC, key algorithm is RSASHA1 child2.parent is signed with NSEC3, key algorithm is NSEC3RSASHA1 * Created the secure delegations: the DS records for child1.parent and child2.parent both use the correct algorithm numbers (5 and 7 respectively) * Configured a trusted key for parent in a recursive server: The trusted key is correctly configured, because I'm able to validate positive responses from all three zones (which also proves that the delegations are correctly secured via the DS records). I'm also able to validate negative responses from parent and child1.parent. And, yes, I have dnssec-enable yes; dnssec-validation yes; in relevant places. But I fail to validate the interesting case, i.e. a negative response from child2.parent containing NSEC3 records as the proof. I get the response, with all the NSEC3s and their RRSIGs. But no AD bit. Anyone done this recently who can give me a suggestion to where I may go wrong? Johan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iD8DBQFJZy3KKJmr+nqSTbYRAgR9AKCioFf7n+IZmKfH0qenvlZnnh6FpQCeLl0e w3pw5x1lyPwkJnM3iRGjiP4= =tnBX -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
