How to validate DNSSEC signed record with dig?

[Nikolay Shaplov]

Hi!

I am trying to validate DNSSEC signature on ns record using dig.

Domain nox.su is properly signed using DNSSEC. Prove link:
http://dnssec-debugger.verisignlabs.com/nox.su

I am trying to validate it as dicribed here:

http://bryars.eu/2010/08/validating-and-exploring-dnssec-with-dig/

$ dig +nocomments +nostats +nocmd +noquestion -t dnskey . > trusted-key.key
$ dig +topdown +sigchase nox.su

but it gives me ";; DSset is missing to continue validation: FAILED" error
while processing the whole hierarchy of zones.

$ cat /etc/resolv.conf
# Generated by NetworkManager
domain router
search router
nameserver 8.8.8.8
nameserver 78.46.213.227


dig is built with DIG_SIGCHASE option.

What am I doing wrong and how to do it right? :-)

[Spain, Dr. Jeffry A.]

> I am trying to validate DNSSEC signature on ns record using dig.
> Domain nox.su is properly signed using DNSSEC.

> I am trying to validate it as dicribed here:
> http://bryars.eu/2010/08/validating-and-exploring-dnssec-with-dig/
> $ dig +nocomments +nostats +nocmd +noquestion -t dnskey . > trusted-key.key $ dig +topdown +sigchase nox.su
> but it gives me ";; DSset is missing to continue validation: FAILED" error while processing the whole hierarchy of zones.

> $ cat /etc/resolv.conf
> # Generated by NetworkManager
> domain router
> search router
> nameserver 8.8.8.8
> nameserver 78.46.213.227

Checking your two name servers, 8.8.8.8 (google-public-dns-a.google.com) doesn't appear to offer DNSSEC validation, and 78.46.213.227 (rms.coozila.com) doesn't respond to my query at all.

A known-good publicly accessible DNSEC-validating recursive resolver is available at bind.odvr.dns-oarc.net. If I run "dig @bind.odvr.dns-oarc.net nox.su +dnssec", I get an AD (authenticated data) flag returned for the A record with IPv4 address 50.16.193.159. This is a prima facie indication that DNSSEC is working for nox.su. The "+topdown" option isn't available to me (bind 9.9.0rc2 version of dig).

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

[Marc Lampo]

Hello,

To be precise :
bind.odvr.dns-oarc.net. validates
but seems to ignore expired (but otherwise valid) signatures.
unbound.odvr.dns-oarc.net. validates without ignoring expired signatures.

Kind regards,

Marc Lampo
Security Officer
EURid vzw/asbl

[Tony Finch]

Spain, Dr. Jeffry A. <spa...@countryday.net> wrote:
>
> Checking your two name servers, 8.8.8.8 (google-public-dns-a.google.com)
> doesn't appear to offer DNSSEC validation, and 78.46.213.227
> (rms.coozila.com) doesn't respond to my query at all.

It's worse than that. Google Public DNS doesn't support DNSSEC at all, so
you cannot use it to query DNSSEC records. DNSSEC requires resolvers to
handle RRSIG and DS records in special ways even if they are not
validating the signatures.

Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/
North Utsire, South Utsire: Cyclonic mainly southerly or southeasterly, 5 to
7, occasionally gale 8 in east at first. Rough. Rain or snow. Moderate or
poor.

[William Thierry SAMEN]

Hi everybody,
sorry for my post i'm not read to bring a light to the 1st problem but to find help.

I'm triying to sign a zone on Bind 9.8-P1 but i have this message:

dnssec-signzone: fatal: key myKSK.key not at origin

I just want help if someone has been confronted with this kind of message
i'll be so happy to have a few idea to debugg my problem

Thx.

2012/2/6 Tony Finch <d...@dotat.at>

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--
Cordialement.
Thierry SAMEN.

[Tony Finch]

William Thierry SAMEN <thierr...@gmail.com> wrote:
>
> I'm triying to sign a zone on Bind 9.8-P1 but i have this message:
>

> *dnssec-signzone: fatal: key myKSK.key not at origin*

It means the zone name in the key is not the same as the zone you are
signing.

Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/

Rockall, Malin, Hebrides, Bailey: Southerly 6 to gale 8, occasionally severe
gale 9 except in Malin, veering northwesterly 4 or 5 for a time except in
Malin and east Hebrides. Very rough, occasionally high except in Malin.
Occasional rain. Moderate or poor.

[Spain, Dr. Jeffry A.]

> dnssec-signzone: fatal: key myKSK.key not at origin

What are the contents of myKSK.key?
The format is "mydomain.com. IN DNSKEY ..." where mydomain.com is the domain origin.

[William Thierry SAMEN]

Hi, thanks for the quick answer,

but my problem is still not resolved, i check all your solutions but nothing.

I'll show you my file zone which i wanted to sign and the command i used.

My file zone:
; This is a zone-signing key, keyid 12762, for ../etc/toto.com.
; Created: 20120207101131 (Tue Feb  7 11:11:31 2012)
; Publish: 20120207101131 (Tue Feb  7 11:11:31 2012)
; Activate: 20120207101131 (Tue Feb  7 11:11:31 2012)
../etc/toto.com. IN DNSKEY 256 3 5 AwEAAbpc1rBsrB3XrOlUAE1Xxfyef9POsH8jypLVImuBPEGgE

Command line that i used for sign this zone
./dnssec-signzone -p -t -g -k KSK.key -o toto.com ../etc/toto.com ZSK.key

Have you seen some mistake?

Thanks for your help.

2012/2/7 Spain, Dr. Jeffry A. <spa...@countryday.net>

--
Cordialement.
Thierry SAMEN.

[Tony Finch]

William Thierry SAMEN <thierr...@gmail.com> wrote:
>

> My file zone:

Er this looks like a key file, not a zone file. The key has been generated
incorrectly: it has a file name where the zone name should be.

> ; This is a zone-signing key, keyid 12762, for *../etc/toto.com.*

> ; Created: 20120207101131 (Tue Feb 7 11:11:31 2012)
> ; Publish: 20120207101131 (Tue Feb 7 11:11:31 2012)
> ; Activate: 20120207101131 (Tue Feb 7 11:11:31 2012)

> *../etc/toto.com*. IN DNSKEY 256 3 5 AwEAAbpc1rBsrB3XrOlUAE1Xxfyef9POsH8jypLVImuBPEGgE

Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/

Viking, North Utsire: Southerly 5 to 7, occasionally gale 8 in Viking. Rough,
becoming very rough in Viking. Rain later. Good, becoming moderate later.

[William Thierry SAMEN]

Absolutely Tony that was a key file which has been generated by dnssec-keygen command.

My zone file is so simple and its look like that i have checked it before with the named-checkzone and all is good in my file zone.

I changed option -o <absolute way of my domain> by the option -o <my domain> only and now i had this error:
 
dnssec-signzone: error: dns_master_load: ../etc/toto.com:12: toto.com: not at top of zone
dnssec-signzone: fatal: failed loading zone from '../etc/toto.com': not at top of zone

at the line 12 of my file zone i haven't seen any mistake.

here is my zone file:

$ORIGIN .
$TTL 17200      ; 4 hours 46 minutes 40 seconds
toto.com.     IN SOA  ns10.boom.fr. postmaster.boom.com. (
                                2012020802 ; serial
                                216000     ; refresh (2 days 12 hours)
                                3600       ; retry (1 hour)
                                3600000    ; expire (5 weeks 6 days 16 hours)
                                172800     ; minimum (2 days)
                                )
                        NS      ns.boom.fr.
                        NS      ns2.boom.fr.
                        A       217.128.32.85
$ORIGIN toto.com.
*                       A       217.128.32.85

;DNSsec keys starts here

$include /exec/applis/thierry/DNS/sbin/K%2Fexec%2Fapplis%2Fthierry%2Fdns%2Fetc%2Ftoto.com.+005+12762.key
$include /exec/applis/thierry/DNS/sbin/K%2Fexec%2Fapplis%2Fthierry%2Fdns%2Fetc%2Ftoto.com.+005+60826.key

Thanks

2012/2/8 Tony Finch <d...@dotat.at>

--
Cordialement.
Thierry SAMEN.

[Tony Finch]

William Thierry SAMEN <thierr...@gmail.com> wrote:
>
> dnssec-signzone: error: dns_master_load: ../etc/toto.com:12: toto.com: not at top of zone
> dnssec-signzone: fatal: failed loading zone from '../etc/toto.com': not at top of zone

This is because your zone uses an include directive to import the key
files, and keys were generated incorrectly: they have file names where the
zone name should be.

Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/

Bailey: Southerly or southwesterly 4 or 5, increasing 6 to gale 8 for a time
in north and west. Very rough or high. Showers. Good, occasionally poor.

[Spain, Dr. Jeffry A.]

William: In my tests of DNSSEC, I have used 'auto-dnsssec maintain;' rather than explicitly signing the zone with dnssec-signzone. I believe I recall that you are using bind 9.8, so this should work for you as well. Here's something you can try:

In your bind configuration use the following zone stanza:
zone "toto.com" {
type master;
file "/var/lib/bind/toto.com/toto.com.db";
key-directory "/var/lib/bind/toto.com";
auto-dnssec maintain;
};

You will probably want to add some access control to this as well.

Now in the directory /var/lib/bind/toto.com (or the directory of your choice as long as it is specified in the configuration above), place all of your *.key and *.private files. Also place your unsigned zone file toto.com.db with contents as follows (Omit the DNSSEC info you currently have at the bottom):

$ORIGIN .
$TTL 17200 ; 4 hours 46 minutes 40 seconds
toto.com. IN SOA ns10.boom.fr. postmaster.boom.com. (
2012020802 ; serial
216000 ; refresh (2 days 12 hours)
3600 ; retry (1 hour)
3600000 ; expire (5 weeks 6 days 16 hours)
172800 ; minimum (2 days)
)
NS ns.boom.fr.
NS ns2.boom.fr.
A 217.128.32.85
$ORIGIN toto.com.
* A 217.128.32.85

If you are running bind under a UID other than root, make sure all the files are readable, and that the zone file is writable, by that UID. Restart the bind service, and bind will sign your zone using the keys you have provided as long as their metadata is timed appropriately, i.e. Publish and Activate dates are in the past, and Inactive and Delete dates in the future. To see the metadata, execute 'dnssec-settime -p all your_key_file_name.private'. If you need to change the timing metadata, use dnssec-settime again. See the ARM for details. Caution: dnssec-setime will 'chmod 600' your private key files.

I have been successful with this approach, and hope it works well for you also. Jeff.

[William Thierry SAMEN]

Thank you very much for your help i'm going to try it wright now.

2012/2/8 Spain, Dr. Jeffry A. <spa...@countryday.net>

--
Cordialement.
Thierry SAMEN.