Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Problem with DNSSEC signing zone
271 views
Skip to first unread message
William Thierry SAMEN
Jul 20, 2012, 5:52:33 AM7/20/12
to bind-...@lists.isc.org
Hi all Bind users,
i just have a problem with my zone signing output i made all the steps to obtain a good result.
--
Cordialement.
Thierry SAMEN.
i just have a problem with my zone signing output i made all the steps to obtain a good result.
- Generated KSK and ZSK
- Add both of keys at the end of my zone file
- signing my zone with dnssec-signzone command
- enable dnssec in named options
- change the name of my zone in the named by namezone.signed
- I got the root DNSKEY RR set before with dig command and redirect the outpout in root-dnskey file
- I turned the DNSKEY into DS RR set also, with dnssec-dsfromkey command.
all this steps have been done well but, when i made a dig for testing the result, i can't seen my section answer with RRSIG or ad flag
someone know what can i made to solve this problem please.
my zone name is willzik.co.uk and when i tested my Bind with a sign domain like ripe.net, the result is good.
dig +dnssec ripe.net gave me a good answer
dig +dnssec willzik.co.uk return a solution without RRSIG records or ad flag
Thanks for your help
--
Cordialement.
Thierry SAMEN.
Carsten Strotmann
Jul 20, 2012, 6:28:44 AM7/20/12
to William Thierry SAMEN, bind-...@lists.isc.org
Hello Thierry SAMEN,
On Fri, 20 Jul 2012, William Thierry SAMEN wrote:
> Hi all Bind users,
> i just have a problem with my zone signing output i made all the steps to obtain a good result.
> 1. �Generated KSK and ZSK
> 2. Add both of keys at the end of my zone file
> 3. signing my zone with dnssec-signzone command
> 4. enable dnssec in named options
> 5. change the name of my zone in the named by namezone.signed
> 6. I got the root DNSKEY RR set before with dig command and redirect the outpout in root-dnskey file
> 7. I turned the DNSKEY into DS RR set also, with dnssec-dsfromkey command.
>
Did you send the DS RR to the operator of the parent zone, and did you
wait for the DS record to appear in the parent zone?
To see an AD flag, you need to send the query towards a caching DNSSEC
validating server that is _not_ the same server that is hosting the zone
(see
<http://strotmann.de/roller/dnsworkshop/entry/dns_name_resolution_design_for>
).
The chain of trust from the trust-anchor of the caching
validating DNS server until the signatures in the zone must be complete,
including the DS record for your zone which must be hosted in the parent
zone (co.uk.).
Please also make sure that the serial number in the SOA record on the
authoritative server is the same number that you see in the signed zone
file. Do not forget to increment the SOA serial before or during the
signing process ( dnssec-signzone -N INCREMENT ... ).
I cannot test your domain from here, it seems the domain is not delegated
(I'm seeing an NXDOMAIN from co.uk.).
csmobile :: ~ � drill -k root.key -SD willzik.co.uk
;; Number of trusted keys: 1
;; Chasing: willzik.co.uk. A
DNSSEC Trust tree:
willzik.co.uk. (A)
|---Existence is denied by:
|---G9F1KIIHM8M9VHJK7LRVETBQCEOGJIQP.co.uk. (NSEC3)
|---Existence is denied by:
|---QLR2IB6LOCI8AIL6L2NH50RQV809BNEG.co.uk. (NSEC3)
|---Existence is denied by:
|---22SDTUJH764RHEGKI5GU51QAU3T7947V.co.uk. (NSEC3)
No trusted keys found in tree: first error was: No DNSSEC public key(s)
;; Chase failed.
(the negative answer here is not DNSSEC validated, but that is another
issue).
Best regards
Carsten Strotmann
On Fri, 20 Jul 2012, William Thierry SAMEN wrote:
> Hi all Bind users,
> i just have a problem with my zone signing output i made all the steps to obtain a good result.
> 2. Add both of keys at the end of my zone file
> 3. signing my zone with dnssec-signzone command
> 4. enable dnssec in named options
> 5. change the name of my zone in the named by namezone.signed
> 6. I got the root DNSKEY RR set before with dig command and redirect the outpout in root-dnskey file
> 7. I turned the DNSKEY into DS RR set also, with dnssec-dsfromkey command.
>
Did you send the DS RR to the operator of the parent zone, and did you
wait for the DS record to appear in the parent zone?
To see an AD flag, you need to send the query towards a caching DNSSEC
validating server that is _not_ the same server that is hosting the zone
(see
<http://strotmann.de/roller/dnsworkshop/entry/dns_name_resolution_design_for>
).
The chain of trust from the trust-anchor of the caching
validating DNS server until the signatures in the zone must be complete,
including the DS record for your zone which must be hosted in the parent
zone (co.uk.).
Please also make sure that the serial number in the SOA record on the
authoritative server is the same number that you see in the signed zone
file. Do not forget to increment the SOA serial before or during the
signing process ( dnssec-signzone -N INCREMENT ... ).
I cannot test your domain from here, it seems the domain is not delegated
(I'm seeing an NXDOMAIN from co.uk.).
csmobile :: ~ � drill -k root.key -SD willzik.co.uk
;; Number of trusted keys: 1
;; Chasing: willzik.co.uk. A
DNSSEC Trust tree:
willzik.co.uk. (A)
|---Existence is denied by:
|---G9F1KIIHM8M9VHJK7LRVETBQCEOGJIQP.co.uk. (NSEC3)
|---Existence is denied by:
|---QLR2IB6LOCI8AIL6L2NH50RQV809BNEG.co.uk. (NSEC3)
|---Existence is denied by:
|---22SDTUJH764RHEGKI5GU51QAU3T7947V.co.uk. (NSEC3)
No trusted keys found in tree: first error was: No DNSSEC public key(s)
;; Chase failed.
(the negative answer here is not DNSSEC validated, but that is another
issue).
Best regards
Carsten Strotmann
Spain, Dr. Jeffry A.
Jul 20, 2012, 8:25:23 AM7/20/12
to William Thierry SAMEN, bind-...@lists.isc.org
> 1. Generated KSK and ZSK
> 2. Add both of keys at the end of my zone file
> 3. signing my zone with dnssec-signzone command
> 4. enable dnssec in named options
> 5. change the name of my zone in the named by namezone.signed
> 6. I got the root DNSKEY RR set before with dig command and redirect the outpout in root-dnskey file
> 7. I turned the DNSKEY into DS RR set also, with dnssec-dsfromkey command.
Also consider simplifying the process as follows:
> 2. Add both of keys at the end of my zone file
> 3. signing my zone with dnssec-signzone command
> 4. enable dnssec in named options
> 5. change the name of my zone in the named by namezone.signed
> 6. I got the root DNSKEY RR set before with dig command and redirect the outpout in root-dnskey file
> 7. I turned the DNSKEY into DS RR set also, with dnssec-dsfromkey command.
1. Generate KSK and ZSK, setting timing metadata so that they are published and active. See dnssec-keygen and dnssec-settime.
2. Place the key files in a key directory on your server.
3. Add to your zone configuration: key directory "<path to key files>"; auto-dnssec maintain;
4. Generate DS records and provide them to your registrar.
Jeffry A. Spain
Network Administrator
Cincinnati Country Day School
Casey Deccio
Jul 20, 2012, 10:05:05 AM7/20/12
to William Thierry SAMEN, bind-...@lists.isc.org
On Fri, Jul 20, 2012 at 2:52 AM, William Thierry SAMEN <thierr...@gmail.com> wrote:
i just have a problem with my zone signing output i made all the steps to obtain a good result.
...
my zone name is willzik.co.uk
I'm getting an NXDOMAIN response from the co.uk servers, rather than a delegation referral:
$ dig @nsa.nic.uk willzik.co.uk | grep status
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 63301
It appears that you don't have delegation (NS) records in co.uk for willzik.co.uk.
Casey
$ dig @nsa.nic.uk willzik.co.uk | grep status
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 63301
It appears that you don't have delegation (NS) records in co.uk for willzik.co.uk.
Casey
Spain, Dr. Jeffry A.
Jul 20, 2012, 10:23:58 AM7/20/12
to William Thierry SAMEN, bind-...@lists.isc.org
> all this step has been well done, but the last step:
> dnssec-dsfromkey -2 Kwillzik.co.uk KSK.key "is it the good way to do?"
That command will generate the DS record for you. The procedure for getting the DS record into the parent zone, co.uk in this case, depends on your DNS registrar. For example, I use GoDaddy.com, and on their domain management website, there is a "Manage DS records" page where you can paste in the key digest and certain other information. Not all registrars support DNSSEC DS record management, so you may have to transfer your domain to one who does. See http://www.icann.org/en/news/in-focus/dnssec/deployment for a list.
> Please tell me how can i bring down this matter and have my AD flag when i made my dig.
The key point to recognize, as stated previously in Carsten Strotmann's post, is that you have to query a DNSSEC-enabled recursive resolver to possibly get an AD flag returned. Your own authoritative name server will never return an AD flag. See https://www.dns-oarc.net/oarc/services/odvr for one that is available publicly. Also you can test your zone at http://dnsviz.net to see if there are any missing links in your chain of trust from the DNS root.
Best Regards, Jeff.
> Generate DS records and provide them to your registrar.
> has not been fluent for me. I found how can i provide key to the registrar i used this command:
> dnssec-dsfromkey -2 Kwillzik.co.uk KSK.key "is it the good way to do?"
That command will generate the DS record for you. The procedure for getting the DS record into the parent zone, co.uk in this case, depends on your DNS registrar. For example, I use GoDaddy.com, and on their domain management website, there is a "Manage DS records" page where you can paste in the key digest and certain other information. Not all registrars support DNSSEC DS record management, so you may have to transfer your domain to one who does. See http://www.icann.org/en/news/in-focus/dnssec/deployment for a list.
> Please tell me how can i bring down this matter and have my AD flag when i made my dig.
The key point to recognize, as stated previously in Carsten Strotmann's post, is that you have to query a DNSSEC-enabled recursive resolver to possibly get an AD flag returned. Your own authoritative name server will never return an AD flag. See https://www.dns-oarc.net/oarc/services/odvr for one that is available publicly. Also you can test your zone at http://dnsviz.net to see if there are any missing links in your chain of trust from the DNS root.
Best Regards, Jeff.
Doug Barton
Jul 20, 2012, 11:06:41 PM7/20/12
to Casey Deccio, bind-...@lists.isc.org
On 07/20/2012 07:05, Casey Deccio wrote:
> On Fri, Jul 20, 2012 at 2:52 AM, William Thierry SAMEN
> <thierr...@gmail.com <mailto:thierr...@gmail.com>> wrote:
>
> i just have a problem with my zone signing output i made all the
> steps to obtain a good result.
>
> ...
>
> my zone name is *willzik.co.uk <http://willzik.co.uk>*
> On Fri, Jul 20, 2012 at 2:52 AM, William Thierry SAMEN
> <thierr...@gmail.com <mailto:thierr...@gmail.com>> wrote:
>
> i just have a problem with my zone signing output i made all the
> steps to obtain a good result.
>
> ...
>
>
> **
>
> I'm getting an NXDOMAIN response from the co.uk <http://co.uk> servers,
> rather than a delegation referral:
That domain isn't registered.
--
If you're never wrong, you're not trying hard enough
0 new messages