Please ignore the * in the copy pasted records. It seems the list converts color text to be *TEXT* hehe
On 31 March 2017 at 00:11, J T <jt4websi...@gmail.com> wrote: > Hi Mark, > > Thank you for responding. What do you mean by zone apex? > > If we assume one of the domains that fails to be seen as signed is " > example.co.uk" then would the apex be the domain name with no prefixes ? > > I've changed the domain name but this is part of what I have in my signed > zone file for one of the zones that fails to be recognised as signed ( > after the signing process). > > example.co.uk. IN RRSIG *NSEC*3PARAM 7 3 0 20170429213251 20170330213251 > 39233 example.co.uk. T1VK1lrlk+4++3Nr7WlS3CeJISCPofUuo799 > S8wKrLG5UngbzRty1DQ2q6uPkiIVoqtuZJdd IklQIZxrCXt1NGSq8yQ4sNodVHMH90dvYQtY > UkViTVIqX15bcY/rLIwOXjrkfz6BB9oavzPZ cuycGR0zd76sgslFJNAZt8hv7XhXxnP94Ke7 > VkxCsdpIT98WMrk6eBEtL76VTm855O2X/lw2 yQdLerE578rZSmOc4K6NKxqeAwVN9ktB9DnK > ugTJmZVIeF/IPcJzeOpNUHA8QkS/dbNqZ5Po 6CIpTzHospp6xHyBJ8V8GK5PSNLtiPaIHIkE > 0C1LgiBLv7e4Hiejq2ZOrIiJAtMILiT95YcT n5LJaQkSsbNlS96nSmyE49iUMM4lWwOji3HG > +oLdGdRSwO+1ySyN4XyY2yIfAF+8oKsjHLyJ zeMhRqHI3kE0+zbtsw7sjQveNzpCxW7reIa+ > XlDjX1SkYXucG/f7BPxYSBCf4Qf0wZgGFC9h oSPZFNsIpDYJnG3kiwPdXr5dDwKJyhX2iBQT > jb9omapnn6YBSN0xNnFwBZ5UqBNAkuOH4jQA CXSQW390CoKPt/gCQfdMkEEFd7dgsLeBQI36 > ABsH1DQtxFqCjCdGK5gFmeKNGvzJPnNlT+++ Xy8VoMXX7xlM4qkSDwRjee8hT3s9ObLxWKI= > > and > > example.co.uk. IN DNSKEY 257 3 7 AwEAAbZFkjq1Q+ > 7Z67VNF3DkvwZTFFK+sgM+2H+xFqkpyeHQoLmsSAWj BoulxcEIVenvY/ > X8fFvHk4yemA0z9DWpVEL9//zGtIVInJqRzzVlx7QQ RWDuYqya+ > U6YpzYkYX0DspOyzFFswtMclF0ktmFB7XOSEmy70OfJL4Oy p4GI5wT8M26bQmDQ6w+ > UcHUO7M8ciF6qJ5JP68O34BlmUq7gGm1DlqVK > o1puldx22djX8GqvqhJjPaV5OHOXn4C5axR0IXiz9C39t1mjAkfxlHJW > kshl+ENmdyyI6hw1vOqLHRmGlDQnL2wdvwerYGfLUAAEYx7+n9v+Ubec > J83SBt90g5OGyT0JH2BTe5IaQeU8+OwQ97P0dRc3yIbGI9e0RSQuE1Zy > 0YUHsIiHpTXrr16vBV97FPLzKGxV0i7AM15JoSCauUyr0DNA391pxVDd > HOeyqpxxV69jNWKcdPV7KJFBSEGI3Uthp8uzNRepdJolg0qxNZy8n5tx > 4sWIGAF2pqLFPZDLPa6yrFazq85JwhYmeqtiR1YXdsxHnR+My714mApl > TiUD4EPP2ylbXeKvsOEWU0NwoAXf92uaSj9C8hH/JIboPDSk1/Y6uv5l > YufyA6f3UFbZPAeqlp2OifE9t0nCqfi43Od70qyvPULqo7S7gtpq6nWA fqSDCTGxBwOVthD9 > > example.co.uk. IN DNSKEY 256 3 7 > AwEAAcqXsmOpeTwLI6ikMgz8JZWddUaKjcX+BpCtbkB9pmngl2JugzoQ > iW+NGcYgLjKkpPHxsHDPBBbfrFTy0l+htYyi6tudAjlNOju+tvMDB4VC 86aC100XcSF/ > h1eSqPxPZz4CjdeBI8x/ahbh7bKHILnokb2mK9CLpZ2w > j4UbCkXu8Of3WWamU3uAEnQ6Lm1xZ8HHxf86S5ev0e+bSm+JTkJVdk12 > 8iIBu6t9lWpYeSemtxHfLhK0Pm1evnHFpr17Sk9/yt5gUZkTd0d9nazT > GsUNjbgdyr943K05wAs5EEgqEIp5eI9zcJ1QeeXBG+co5grBa6Leq3Pm > zcqxwtzuB2VDRKr9P34tT5n5OY2jg+B98ERd3TiLJTF+wd5Pa5n+lVXt nkAODvfYv+ > xlEgUqfnIxEfNc7aQKXwWaLBW1Hx25aobsXJ+vrdhE+sqd Jbzjr8p+EG8ZS8gJ9c4B+ > snMOYwns7hVAATX/3K3XwJUcdGQoynm20iV > acDErzZRzHqW+XNtU5EnBjpdzK+Lz0wH63yXRIOd09ap6XACkRH1ApNo > syOFdEVwEgTJEPvavu6FH6YR6iHmVR+YqblSBOCP5jfdIVmHm+MfihJs 3whGNAo9XPFEYg+ > M6vJ8e04zMD17mWL4w/lilhLy1CbuzU2Bw1yniFRI P9mvO7K0z/mrPxWn > > I compared it with the one of the zones that is recognised as signed and I > see the following there: > > workingexample.email. 38400 *IN NSEC* _dmarc.workingexample.email. A NS > SOA MX TXT AAAA SSHFP RRSIG NSEC DNSKEY SPF > > workingexample.email. *IN DNSKEY* 257 3 8 AwEAAeLetJzQo74Zi/ > qXJjF4JoF37qu0rXTWQzn7yUC058w76SrPVV4a hZIPI9oBNcWn5yeP6qR/ > bIkBM1OKfP0qGgLRyLAZPdsB36q1BnEfLrbi trZmlGY8+AnUxjpPbEscT/ > g47UJiN9exBs0wAPdwwTRypYwBOVzP7cRP > TiPf0QlMslMrgd9lpFhFQblj97sZiVTZCyJM2FhKo3bdwDpde6fkJV0I > Ilrj3X47hJMFwW3UbA+H8UE/8jWrhrmSPi5b/uxbMY9qkOeaFm/LexC6 > tr89pCesYrnIqceQTsvJl7+HOB1WNzW4vkC0idzo1kq65Woo8FOvzM7x HukCPrlyWvc= > > workingexample.email. *IN DNSKEY* 256 3 8 > AwEAAbCKGjHIFvhlPpVeReXSDymlwlyeHwejRF0vBp7GTdFv2qCRI1Wc > 9GDhVuUWmBv9gxynqQgf4K460RMia1ElZjOFQUZwB4i/OgvfAedEdjov r+ > G7fHt45FShmR5WLuPOP1EGvJAki18rJgZL99PY4bAqq+s7Ut/SCmAs > gKsy1WkL0cfEyl4qWPDv5YRbM4NBCZUZfO7nzmjuvIY+rlGEC00= > > So, it would appear that no 'IN NSEC' or 'IN NSEC3PARAM' is being added > when the 'example.co.uk' is signed. > > As far as I can tell no error was reported during the signing process for > example.co.uk - do you have any suggestions as to what might stop the > signing tool from adding the 'IN NSEC' or 'IN NSEC3PARAM' records ? > > Jay > > On 30 March 2017 at 23:02, Mark Andrews <ma...@isc.org> wrote: > >> >> In message <CAB=ej3rXb-+UkwyT8RoURszF70Gi76ksj7Uk6uuvqF5pUG3Dwg@mail. >> gmail.com>, J T writ >> es: >> > Hi, >> > >> > I have 5 signed zones ( 2 x .email, 2 x .com and 1 x .co.uk ). >> > >> > I used Webmin to do the heavy lifting of signing/resigning etc. >> > >> > Only 2 of the 5 zones are recognised as (DNSSEC Signed) by BIND on >> > restart/zone application and that fact is reported in the system logs. >> > >> > I’m trying to work out why 3 are failing to be recognised as Signed. >> > >> > No errors are reported as part of the signing process. The zonefiles >> > appear to have loads of DNSSEC related resource records. >> > >> > e.g. >> > >> > - RRSIG (digital signature) >> > - DNSKEY (public key) >> > - DS (parent-child) >> > - NSEC (proof of nonexistence) >> > - NSEC3 (proof of nonexistence) >> > - NSEC3PARAM (proof of nonexistence) >> > >> > and the parent registrar has had DS records added. >> > >> > As bind is not flagging the zone as signed its not returning RRSIGs in >> the >> > Answer section of a query ( although they are provided in the Additional >> > section ). >> > >> > I’m not really sure what the criteria is for bind to decide a zone is >> > signed. >> >> For a zone to be treated as secure (signed) there needs to be a >> NSEC record at the zone apex or a NSEC3PARAM record at the zone >> apex. There also needs to be a DNSKEY RRset containing a zone key. >> >> While named is in the process of signing a zone initially these >> conditions are not met. The last stage of initial signing is to >> add the NSEC record to the apex or to add the NSEC3PARAM record. >> >> The first stage of going insecure is to remove the NSEC/NSEC3PARAM >> record at the zone apex. >> >> > The same process is being used to sign/resign the 5 zones but only 2 are >> > flagged as signed. >> > >> > Any tips on how to debug this would be appreciated. >> > >> > Thanks, >> > >> > Jay >> >> -- >> Mark Andrews, ISC >> 1 Seymour St., Dundas Valley, NSW 2117, Australia >> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org >> > >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users