>>>>> "bh" == bert hubert <[email protected]> writes:
bh> Maybe something else is going on. Can you show 'pdnssec show-zone bh> jhcloos.us'? It only shows public keying material. I enabled narrow since I posted and added per-zone salts: :; pdnssec_static show-zone jhcloos.us Zone has NARROW hashed NSEC3 semantics, configuration: 1 1 1 cbc52e2d3584bdbe Zone is not presigned keys: ID = 42 (KSK), tag = 23900, algo = 8, bits = 2048 Active: 1 KSK DNSKEY = jhcloos.us IN DNSKEY 257 3 8 AwEAAdDnaycbNggeRGm1GhMhIiP33JGfvp38qlt1KZlnTMeW/4CaVMTCpIG8F2di+G2/HS/n3OBOWh2JWpCMFwkW3KSfOV4b0ZViRqPGdiha/JTXWKY45/CNZISX+oDm22pVY2Gi6K7bvQl0vOk6NHljV5ZochKBg4i27egAHxksqZe2PHr1I2pXqFFua+dCPgStpyQmtg95utYlJKyQDY5GQ1j7P8R8kSYFMl85ej4/kwW0/PNieeZL/H5o2KfI0euoGXgMDn0fiBSlEPM6H8JTuc4JWIoGOmd7hhPupMlcQLIBGFy7R1pQbuRPk4WpKTwkOEIIpHVqAtvuRkk/SK25n0U= DS = jhcloos.us IN DS 23900 8 1 a00d0b5c2d72b86fc636289ce0ac9f1ef4e3830d DS = jhcloos.us IN DS 23900 8 2 4713604b388fd3310c1cc7e01f43e0a8dc56f7b2d69de77ed5a72a5d627bf517 DS = jhcloos.us IN DS 23900 8 3 7ee1b473358e3b1fcc25159cfe7bae288c5689def5e8ddb2a9942e34b51b55c7 ID = 34 (ZSK), tag = 47145, algo = 8, bits = 1024 Active: 1 bh> If you use the 'dig' command line suggested by the wiki, which verifies bh> using the plain DNSKEY and not the DS, does that work? :; dig +dnssec +sigchase +trusted-key=./trusted-keys -t MX jhcloos.us @localhost ;; RRset to chase: jhcloos.us. 86400 IN MX 10 pao.uu.jhcloos.net. ;; RRSIG of the RRset to chase: jhcloos.us. 86400 IN RRSIG MX 8 2 86400 20110504235936 20110420235936 47145 jhcloos.us. MqBfg8QM0rGVVMrICOu+YgKaIPSM+XXsdXdPGA978dBJgtNeXNgGF6nB GN2SA693ea8lfV6aqalU2jacqCT8oB70tixPNrFKR3yEC9mzc5VU1CoY TjLHbrV/XWkEVH49GzPni6wEvniglTljDhC48Voj1lSlTvPYGtNnWpIs fgY= Launch a query to find a RRset of type DNSKEY for zone: jhcloos.us. ;; DNSKEYset that signs the RRset to chase: jhcloos.us. 3600 IN DNSKEY 256 3 8 AwEAAcg4OMrNzwLJLmaz/Xw2mYWZ2Po5+Fm0w+xi+0TEkaTWtnFhwTlT 6eSK4hEDKsn1xBXb/aCfNPb2bRd+scovwGbasnI3rJhpMVa+rV6XSAQP j575C9/P51XZDOxGzXyx5bIghZMUigmEQkehcWwGPqEHUi/w0xxcFUam r8FUwxDL jhcloos.us. 3600 IN DNSKEY 257 3 8 AwEAAdDnaycbNggeRGm1GhMhIiP33JGfvp38qlt1KZlnTMeW/4CaVMTC pIG8F2di+G2/HS/n3OBOWh2JWpCMFwkW3KSfOV4b0ZViRqPGdiha/JTX WKY45/CNZISX+oDm22pVY2Gi6K7bvQl0vOk6NHljV5ZochKBg4i27egA HxksqZe2PHr1I2pXqFFua+dCPgStpyQmtg95utYlJKyQDY5GQ1j7P8R8 kSYFMl85ej4/kwW0/PNieeZL/H5o2KfI0euoGXgMDn0fiBSlEPM6H8JT uc4JWIoGOmd7hhPupMlcQLIBGFy7R1pQbuRPk4WpKTwkOEIIpHVqAtvu Rkk/SK25n0U= ;; RRSIG of the DNSKEYset that signs the RRset to chase: jhcloos.us. 3600 IN RRSIG DNSKEY 8 2 3600 20110504235936 20110420235936 23900 jhcloos.us. VUx4UfIP4R6f44HLXXPBxDCnlSVyUbWgiuuMC/C1m1rLuuv1MbVMewEN 3PTew95U38LWn+eI3uZkZe0pgfHlRCV7UUE4+tOYP+gNuCzqnqVGFExs fWEMjHIOv2A7tJqjnm05BwV0uiyNh4uwltrDFpcOwF7T4XsVJXxqV9Oz 5qllWnM+ppcuzAJFL4XR4kab8dlhHcsh/kB3fzVovEqPAJZDmQg5cgIO nfGy/UdbRbmB5fAdDMVukEBjb0u9ktJsO6bfSirV6+n6PcdEk+MQG+3i SKRU+p2pKOolGWqeaeTzT1T1/+EZ497wIEEOab2TxoPmlWVfA4FHSpfD ID1Fsw== Launch a query to find a RRset of type DS for zone: jhcloos.us. ;; NO ANSWERS: no more ;; WARNING There is no DS for the zone: jhcloos.us. ;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; VERIFYING MX RRset for jhcloos.us. with DNSKEY:47145: RRSIG failed to verify ;; No DNSKEY is valid to check the RRSIG of the RRset: FAILED So that fails, too. I tried a number of such dig calls; all failed the same way. -JimC -- James Cloos <[email protected]> OpenPGP: 1024D/ED7DAEA6 _______________________________________________ Pdns-dev mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-dev
