Re: [Pdns-users] New PowerDNS Authoritative Server snapshot with DNSSEC + Release Notes
On Sat, 29 Jan 2011 00:38:12 +0100, Christof Meerwald wrote: That's really excellent news - I have just migrated my 2 nameservers to SVN revision 1928 and signed one of the zones (btw, the setup is: master using bind backend for the zone data and gsqlite3 for the key data - slave is using gsqlite3 and AXFR from master). Let's see what happens... Hmm, I still don't understand DNSSEC well enough to really make some sense of it all, but there are certainly some strange things here: The zone I am testing with is cmeerw.priv.at, master dns is ns.cmeerw.net and slave is ns2.cmeerw.net (and trying to use nsec3). Requesting the SOA record appears to work fine on both servers: dig +dnssec -t SOA cmeerw.priv.at @ns.cmeerw.net dig +dnssec -t SOA cmeerw.priv.at @ns2.cmeerw.net But if I try to query for NS, I get some RRSIG records in the additional section, but only from ns.cmeerw.net: ;; ADDITIONAL SECTION: ns2.cmeerw.net. 28800 IN A 80.190.133.60 ns2.cmeerw.net. 28800 IN RRSIG A 8 3 28800 2011021000 2011012700 35080 cmeerw.priv.at. mKFWS0sPy8sFs4kWGgs0dvniiDAGzpgxPw/LgsCZ88r/k9Lc/+6pHK8k nkh9QzshTFkHKfIsM5NBr8ABRMPSligLc+t6Qb2B3P+Sfz3kVoW1baoS VTJAjkbMzTa5uD/HD6C0qX3KdMy4wxOq8YZAHislWkuNydCcM+/vGmBt fvo= ns.cmeerw.net. 28800 IN A 84.200.12.152 ns.cmeerw.net. 28800 IN RRSIG A 8 3 28800 2011021000 2011012700 35080 cmeerw.priv.at. kfoB3v8GYzdKJ6afJR81msJ2AKGNQ/7HIsS50ISphbWqUK5UrLDe5kno s1L8JoshcXxUyxcMl2s4SaJX3h+ImFsact8Xunl8fl+AwSJJrbHd4Dsb M1OhxfpTaEHzvBgX/nR0Xam52xBm5ruqOL26mRZjjhbUqlSI21IbP9O6 UEY= not from ns2.cmeerw.net: ;; ADDITIONAL SECTION: ns.cmeerw.net. 28800 IN A 84.200.12.152 ns2.cmeerw.net. 28800 IN A 80.190.133.60 Note that both servers are authoritative for cmeerw.net, but the zone is not signed. And finally, if I try to query a non-existing record, the response seems reasonable from ns.cmeerw.net: ;; AUTHORITY SECTION: cmeerw.priv.at. 28800 IN SOA ns.cmeerw.net. domain.cmeerw.net. 2010080601 3600 900 1814400 3600 cmeerw.priv.at. 28800 IN NSEC3 1 0 1 AB SO== RRSIG cmeerw.priv.at. 28800 IN RRSIG SOA 8 3 28800 2011021000 2011012700 35080 cmeerw.priv.at. NQToBHA8ywWqjAtYM3ApLJw9fIbKe/mdUysBQ010d9FGCS0n8TQ2eEtO RjfAl4ZjNpv7oB+AukM3a2jwCIVQh8Tsb5PNOoNKL3UxaLtB/j/S7Dbg wAW6fAAhcharh665lHw07vECWbDvNDU5t4TmmHPrJ/dlph3xBOCrWw5n bpI= cmeerw.priv.at. 28800 IN RRSIG NSEC3 8 3 28800 2011021000 2011012700 35080 cmeerw.priv.at. kKbZ50zzk0drm29L7xbtjOo3hG4Xhj3NbwM290Lzckq2ipmb9/iDFnyO fKxWgJrsHYyigESCRAMUnYAqJvyfWw49Ke1dOu1uVMe6gtS9YDTws12z oIXj2H+Mo5UxvF02WYHwuSQsDeP8So4IctT466Xkv60LhS5G6y8lwvOf FK4= but very strange from ns2.cmeerw.net: ;; AUTHORITY SECTION: cmeerw.priv.at. 28800 IN SOA ns.cmeerw.net. domain.cmeerw.net. 2010080601 3600 900 1814400 3600 8b40po8goooqdt13tad1l7j5oht0puo3.cmeerw.priv.at. 7200 IN NSEC3 1 0 1 AB RRSIG=== NSEC3 cmeerw.priv.at. 28800 IN RRSIG SOA 8 3 28800 2011021000 2011012700 35080 cmeerw.priv.at. NQToBHA8ywWqjAtYM3ApLJw9fIbKe/mdUysBQ010d9FGCS0n8TQ2eEtO RjfAl4ZjNpv7oB+AukM3a2jwCIVQh8Tsb5PNOoNKL3UxaLtB/j/S7Dbg wAW6fAAhcharh665lHw07vECWbDvNDU5t4TmmHPrJ/dlph3xBOCrWw5n bpI= ca95b8nmpkjglrraoo4cu4m9sp7m2ma9.cmeerw.priv.at. 28800 IN NSEC3 1 0 1 AB 8B40PO8GOOOQDT13TAD1L7J5OHT0PUO3 RRSIG NSEC3 8b40po8goooqdt13tad1l7j5oht0puo3.cmeerw.priv.at. 7200 IN RRSIG NSEC3 8 4 7200 2011021000 2011012700 35080 cmeerw.priv.at. pFoJS2R2QOKLvCu8Lj3i3RWVSLf86pygLHB8WgsFVCMkcu3IaVbc1ZsL 5+cPm2yYgGAwMUw1ZdNutm8lZwempxhyXn3q4uJ8CBaKx6EYCpCiIuxZ ATIYSYR3apEfLDkNIHLZzlLFSEsHvNsxTOM4ZGgFu2ZLCh0p7HSYNE+n l4Y= ca95b8nmpkjglrraoo4cu4m9sp7m2ma9.cmeerw.priv.at. 28800 IN RRSIG NSEC3 8 4 28800 2011021000 2011012700 35080 cmeerw.priv.at. H76INArO3yFe9iIKs8NCdVy6+L7pj4vcn+ESjuEAuTH1pShXt7ZxuLQL t/TiF89/NbtbbAG6RB3KARA2c/FtGag5tR6/sxVGpyF4Kx0K25BwCtmO LHErS7g3860YvXBzUwhwCvOeG9oQJ4Fyi5NsrzR5O2Jc68Axqzo9Gfsq /O4= Any ideas on these observations? (feel free to query these nameservers yourself) Christof -- http://cmeerw.org sip:cmeerw at cmeerw.org mailto:cmeerw at cmeerw.org xmpp:cmeerw at cmeerw.org ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] New PowerDNS Authoritative Server snapshot with DNSSEC + Release Notes
On Sat, Jan 29, 2011 at 10:30:47AM +0100, Christof Meerwald wrote: On Sat, 29 Jan 2011 00:38:12 +0100, Christof Meerwald wrote: That's really excellent news - I have just migrated my 2 nameservers to SVN revision 1928 and signed one of the zones (btw, the setup is: master using bind backend for the zone data and gsqlite3 for the key data - slave is using gsqlite3 and AXFR from master). Let's see what happens... Hmm, I still don't understand DNSSEC well enough to really make some sense of it all, but there are certainly some strange things here: Indeed. The zone I am testing with is cmeerw.priv.at, master dns is ns.cmeerw.net and slave is ns2.cmeerw.net (and trying to use nsec3). Ok, so the setup is that both ns and ns2 have all the keying materials, and ns serves a pre-signed zone over AXFR. ns2 receives this AXFR, should rectify it and serve it using its knowledge of the private keying material. Note: what HAS been tested is where the slave has no keying material, and serves the zone in 'pre-signed' mode. This is not what you are doing, but it should still work! Requesting the SOA record appears to work fine on both servers: dig +dnssec -t SOA cmeerw.priv.at @ns.cmeerw.net dig +dnssec -t SOA cmeerw.priv.at @ns2.cmeerw.net Looks good. But if I try to query for NS, I get some RRSIG records in the additional section, but only from ns.cmeerw.net: ;; ADDITIONAL SECTION: ns2.cmeerw.net. 28800 IN A 80.190.133.60 ns2.cmeerw.net. 28800 IN RRSIG A 8 3 28800 2011021000 2011012700 35080 cmeerw.priv.at. mKFWS0sPy8sFs4kWGgs0dvniiDAGzpgxPw/LgsCZ88r/k9Lc/+6pHK8k nkh9QzshTFkHKfIsM5NBr8ABRMPSligLc+t6Qb2B3P+Sfz3kVoW1baoS VTJAjkbMzTa5uD/HD6C0qX3KdMy4wxOq8YZAHislWkuNydCcM+/vGmBt fvo= ns.cmeerw.net.28800 IN A 84.200.12.152 ns.cmeerw.net.28800 IN RRSIG A 8 3 28800 2011021000 2011012700 35080 cmeerw.priv.at. kfoB3v8GYzdKJ6afJR81msJ2AKGNQ/7HIsS50ISphbWqUK5UrLDe5kno s1L8JoshcXxUyxcMl2s4SaJX3h+ImFsact8Xunl8fl+AwSJJrbHd4Dsb M1OhxfpTaEHzvBgX/nR0Xam52xBm5ruqOL26mRZjjhbUqlSI21IbP9O6 UEY= This is a bug, which will be fixed in the next commit. PowerDNS does not realize it should not be signing stuff added to a record from an insecure zone. not from ns2.cmeerw.net: ;; ADDITIONAL SECTION: ns.cmeerw.net.28800 IN A 84.200.12.152 ns2.cmeerw.net. 28800 IN A 80.190.133.60 Note that both servers are authoritative for cmeerw.net, but the zone is not signed. I bet ns.cmeerw.net has not been rectified on ns2.cmeerw.net. Even unsigned zones should be rectified! This should be automated in some way perhaps. And finally, if I try to query a non-existing record, the response seems reasonable from ns.cmeerw.net: ;; AUTHORITY SECTION: cmeerw.priv.at. 28800 IN SOA ns.cmeerw.net. domain.cmeerw.net. 2010080601 3600 900 1814400 3600 cmeerw.priv.at. 28800 IN NSEC3 1 0 1 AB SO== RRSIG No, this means that you have an NSEC3 configuration, but the 'order' field from the database has not been filled out. This is very weird since you tell me that ns.cmeerw.net runs with the BIND backend, which should do all that automatically. This smells like a separate bug. Can you confirm that ns.cmeerw.net has the cmeerw.priv.at zone in BIND, and can you show the output of 'pdnssec show-zone cmeerw.priv.at'? but very strange from ns2.cmeerw.net: ;; AUTHORITY SECTION: cmeerw.priv.at. 28800 IN SOA ns.cmeerw.net. domain.cmeerw.net. 2010080601 3600 900 1814400 3600 8b40po8goooqdt13tad1l7j5oht0puo3.cmeerw.priv.at. 7200 IN NSEC3 1 0 1 AB RRSIG=== NSEC3 This looks about as strange. This might be a follow-up bug fom what you see on ns.cmeerw.at, let's focus on that first. Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] New PowerDNS Authoritative Server snapshot with DNSSEC + Release Notes
On Sat, 29 Jan 2011 15:42:56 +0100, Christof Meerwald wrote: [...] ns.cmeerw.net reads the zone data for cmeerw.priv.at from the bind backend and has the keying information in the db: Just noticed - does the order of the backends specified in launch= make a difference? Just noticed that I had it set to bind,gsqlite3 and now changed it to gsqlite3,bind. dig +dnssec -t a notthere.cmeerw.priv.at @ns.cmeerw.net and dig +dnssec -t a notthere.cmeerw.priv.at @ns2.cmeerw.net now seem to return the same results: ;; AUTHORITY SECTION: cmeerw.priv.at. 28800 IN SOA ns.cmeerw.net. domain.cmeerw.net. 2010080601 3600 900 1814400 3600 8b40po8goooqdt13tad1l7j5oht0puo3.cmeerw.priv.at. 7200 IN NSEC3 1 0 1 AB CA95B8NMPKJGLRRAOO4CU4M9SP7M2MA9 NS SOA MX RRSIG DNSKEY NSEC3PARAM cmeerw.priv.at. 28800 IN RRSIG SOA 8 3 28800 2011021000 2011012700 9895 cmeerw.priv.at. b6IVcHFLnJvuL1T+OVXDDiuPOPbooVgpNHw8SI21cXoo2Q2v89+UQd7+ H/SVjFYPL5RLjyCIcGWIJOrx5Wssg8vqbVqvkaG/AGmyZqhu5S5dVo1b ipK32UrcYrsknkYmzYaHD3ew2ka9hwZYND5MK+g3FNAJxnj3fJEiHEvG Lzo= ca95b8nmpkjglrraoo4cu4m9sp7m2ma9.cmeerw.priv.at. 28800 IN NSEC3 1 0 1 AB 8B40PO8GOOOQDT13TAD1L7J5OHT0PUO3 SRV RRSIG 8b40po8goooqdt13tad1l7j5oht0puo3.cmeerw.priv.at. 7200 IN RRSIG NSEC3 8 4 7200 2011021000 2011012700 9895 cmeerw.priv.at. Z8DhNswJETLP2mTC4HZoAtA9etKlPN/1Xrbi0/u6VGbawX03tqfRbE5J 1qGNKMUfedUf9c7ZVAm8rjVjVhe3n4Tyh72gBFXGt2NNxJhTeXLhGMz1 tEeQVd1PXsSKiV2fT/u25UV6S5LF6OxGZKKcEors5zw2T7ZsH77i8t7o zGM= ca95b8nmpkjglrraoo4cu4m9sp7m2ma9.cmeerw.priv.at. 28800 IN RRSIG NSEC3 8 4 28800 2011021000 2011012700 9895 cmeerw.priv.at. Z6OMBKYDpRoiuz2lFpLAwBcVh8Fakwgs8r80zdgYM6hLnl+ChhClzDVB UjM2igouJwMOMOelqjD4OyDTX4Do536L8z/aMeFygDY8/o1Jbn4Uhgu9 DWqt3OftMXcFNkYqzXeQ5uvcirzz3WVOHYyAlQ1VcEGB4nfDkaZO1+io 2pg= Christof -- http://cmeerw.org sip:cmeerw at cmeerw.org mailto:cmeerw at cmeerw.org xmpp:cmeerw at cmeerw.org ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] New PowerDNS Authoritative Server snapshot with DNSSEC + Release Notes
On Sat, 29 Jan 2011 16:01:47 +0100, Christof Meerwald wrote: On Sat, 29 Jan 2011 15:42:56 +0100, Christof Meerwald wrote: [...] ns.cmeerw.net reads the zone data for cmeerw.priv.at from the bind backend and has the keying information in the db: Just noticed - does the order of the backends specified in launch= make a difference? Just noticed that I had it set to bind,gsqlite3 and now changed it to gsqlite3,bind. So I guess with that change it's mostly working now, except that ns2.cmeerw.net doesn't return a RRSIG record when requesting the DNSKEY: dig +dnssec -t dnskey cmeerw.priv.at @ns2.cmeerw.net ;; ANSWER SECTION: cmeerw.priv.at. 3600IN DNSKEY 256 3 8 AwEAAbtQ1LDh1ZA0dfBC6SjR6lPr2rpSxZTBV3EQF7N70usXzSm1raLn NAtE38wDK2U9g1PzO5yrj3vm3/T1RJl/qnDd6F8TPFsSYyI5Noh1lnZ8 0rbAJWywmb5mpTA+MD2Tp/xcbeVdyT/ar0gLljJHXUlHt/ih0pbTXrHi QW30sdh5 cmeerw.priv.at. 3600IN DNSKEY 257 3 8 AwEAAait7iglyLwXL1SzhoKZOXgVLsseaq2jFyW/vnda80UWMeZm60QD guYb39Yp5vFD1zI+Fc7Zg+NikFPsYudbW750LOHFtuShO8s3/6p7uyO6 OpXsmG4bQSOOFoNuYr1b8rSYnEMFVZF/iKH/CSk7AazA7P9VBAgSmXcV Q/3rO4teelfiZYERf9NqUFadn5eGgEmpZFovBNtO2DzuiDBb3GCDp7XD zam6LUeVHQgus0JRN7sKnFK0wuAFhZ5rvd/CuJkVOY/3ev5v+gOtTGel kypum88MzMhLaDPREZqLghzObAv0cAzG57dZDsHnn5BhkPHNIzdJMGMM NqhyDGn0nq8= cmeerw.priv.at. 3600IN DNSKEY 256 3 8 AwEAAYW/g3QmZaLIscI58InAyrx88SpiV1XR/e2j2hcjhSUdeLpHLp+r RjDr82XZt/T2VgSOHhztXaqzknTl35xlkYJjGDVz/kodJndeGXQPii9D WWulJd5vNno5xBlo823vN860PBUK0aH00H3wwms9jLEqB3Ha0CFdQogY z9UJC71H but it's fine on ns.cmeerw.net: dig +dnssec -t dnskey cmeerw.priv.at @ns.cmeerw.net ;; ANSWER SECTION: cmeerw.priv.at. 3600IN DNSKEY 257 3 8 AwEAAait7iglyLwXL1SzhoKZOXgVLsseaq2jFyW/vnda80UWMeZm60QD guYb39Yp5vFD1zI+Fc7Zg+NikFPsYudbW750LOHFtuShO8s3/6p7uyO6 OpXsmG4bQSOOFoNuYr1b8rSYnEMFVZF/iKH/CSk7AazA7P9VBAgSmXcV Q/3rO4teelfiZYERf9NqUFadn5eGgEmpZFovBNtO2DzuiDBb3GCDp7XD zam6LUeVHQgus0JRN7sKnFK0wuAFhZ5rvd/CuJkVOY/3ev5v+gOtTGel kypum88MzMhLaDPREZqLghzObAv0cAzG57dZDsHnn5BhkPHNIzdJMGMM NqhyDGn0nq8= cmeerw.priv.at. 3600IN DNSKEY 256 3 8 AwEAAYW/g3QmZaLIscI58InAyrx88SpiV1XR/e2j2hcjhSUdeLpHLp+r RjDr82XZt/T2VgSOHhztXaqzknTl35xlkYJjGDVz/kodJndeGXQPii9D WWulJd5vNno5xBlo823vN860PBUK0aH00H3wwms9jLEqB3Ha0CFdQogY z9UJC71H cmeerw.priv.at. 3600IN RRSIG DNSKEY 8 3 3600 2011021000 2011012700 43519 cmeerw.priv.at. pr/Ru+FVPKVMMpkS0PuXuXxP1dgMCJacflsaTpFDKJAHixybIRX1LmAu SwdWEhtaQpTKHb4xGmtZhK7co1lk534uE8xJKAJybXTBn/ejpx8M/raY dpsp7jhJaH8Vy9Zi/qzWYdpGJlWEhsLOY0paTZHkG8uLEr6JJCbKrSCT 8kZYO3aHvWqRPyxmCBrfPkm0UNVzIDq/cNhwebFBNVVnsoo8wdBPscHj xv0A57iS55eurFtxXDMc89cdtAAedNvEtMXX6d98d3ThozBS2iNcMJDR X1m7zYs7bk+yDKy3Fwh6D2QJ+A00HjBYF13yWeIIheeZ0JzsiZCB9dvd dH5LJg== cmeerw.priv.at. 3600IN DNSKEY 256 3 8 AwEAAbtQ1LDh1ZA0dfBC6SjR6lPr2rpSxZTBV3EQF7N70usXzSm1raLn NAtE38wDK2U9g1PzO5yrj3vm3/T1RJl/qnDd6F8TPFsSYyI5Noh1lnZ8 0rbAJWywmb5mpTA+MD2Tp/xcbeVdyT/ar0gLljJHXUlHt/ih0pbTXrHi QW30sdh5 Christof -- http://cmeerw.org sip:cmeerw at cmeerw.org mailto:cmeerw at cmeerw.org xmpp:cmeerw at cmeerw.org ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] New PowerDNS Authoritative Server snapshot with DNSSEC + Release Notes
On Sat, 29 Jan 2011 16:45:29 +0100, Christof Meerwald wrote: So I guess with that change it's mostly working now, except that ns2.cmeerw.net doesn't return a RRSIG record when requesting the DNSKEY: Hmm, seems to be working now... Not sure what could have changed... Christof -- http://cmeerw.org sip:cmeerw at cmeerw.org mailto:cmeerw at cmeerw.org xmpp:cmeerw at cmeerw.org ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
