On Wed, May 20, 2015 at 12:26:50PM +0200, Leen Besselink wrote: > On Wed, May 20, 2015 at 12:16:02PM +0200, Peter Thomassen wrote: > > Dear experts, > > > > I'm sorry to bug you again, but I am still stuck with deploying DNSSEC > > for desec.io, and I'd like to ask for your help once more. > > > > I have a hidden primary which does the signing in live mode (MySQL > > backend), and two public nameservers ns1.desec.io and ns2.desec.io which > > receive the zones via AXFR (bind backend). All are using PowerDNS 3.3 > > from Ubuntu 14.04. > > > > After communicating my DS records to the .io registry, the DNSSEC > > debugger http://dnssec-debugger.verisignlabs.com/desec.io tells me the > > everything is fine, except that desec.io does not have RRSIG records, > > and my resolver says SERVAIL. > > > > Screenshot: https://www.a4a.de/_temp/DNSSEC.png > > (I removed the DS records again from the .io zone.) > > > > However, > > dig RRSIG desec.io @ns1.desec.io > > dig RRSIG desec.io @ns2.desec.io > > > > gives the RRSIG records. Why does the debugger not find them? > > > > Hi, > > Wouldn't consider myself an expert, but RRSIG isn't normally something you > query for, > these are the signatures which get added with DNSSEC-signed response. > > Judging by the image it looks like DNSSEC debugger does 3 queries: > > dig @ns1.desec.io +dnssec +norec desec.io DS # that worked and did include > the RRSIG records > > # these failed: > dig @ns1.desec.io +dnssec +norec desec.io DNSKEY > dig @ns1.desec.io +dnssec +norec desec.io A > > Here is a working example with an RRSIG for the DNSKEY query: > > $ dig +dnssec +norec @194.171.17.10 nl. DNSKEY > > ; <<>> DiG 9.8.1-P1 <<>> +dnssec +norec @194.171.17.10 nl. DNSKEY > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9281 > ;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;nl. IN DNSKEY > > ;; ANSWER SECTION: > nl. 7200 IN DNSKEY 256 3 8 > AwEAActQKGjyxDvKZrmtecDqXu5i7hDRnkBH71kukkBWMqi7GlRVnwng > tXGLg41p8cBP+HsLLDxr125ukadG0peYLfjx5gBj0CE6VMguwqRtn7MP > MIym5outGSRm2uTcO7mxp1ZykusE1GnavVFDUhgoipGaXQ/q0w3Lpyij NE9GZmyH > nl. 7200 IN DNSKEY 257 3 8 > AwEAAbgqMqYHpmZrqQd3zFNOzYv2lw8bWBnrtK9TjlwK/ZBYMwKGR6TN > bmMuwdjebpIE2vFxTHGLQfb2PmUJpazAGkG0fUaqrjuIU99Qbe5hwLYX > qyGe2Mm+ZNRsomBxhluR/ky/XX4V1TjTqeXYH4gkzEs7I6og5IE0tKyh > hpU38XHtuFVj7uunIAWGn5g9tZ0ZNnv8CkwLE5hLmRf+AoNTd483ZBX4 > FUT32KbF6XV3ikctXbsMe2GqGlIf0gMqJQbNvYf1NuNMbxauh9YavEQ0 > yaavI1hz5eLMJRruq4wDTyRnMJHupxY69oZZ9IbIsEf0FurtaA7fXrAx qcfEfARr4b0= > nl. 7200 IN RRSIG DNSKEY 8 1 7200 > 20150526002957 20150511201503 21362 nl. > lXOt9uoPC+0NdnY2GiPVvCSwK2XeJVfMu1r8d84k47Au2sYc3rExtCGQ > JT7Smx6heHQ8kWPPLJ58FTd0oht5yG/0E6Voe2qNh5xKp8htoseTEysv > hejOXEevpWkxfkc3JFu7qHzYqNYAEIwKNXIWMhxmVarhwACKkKIelZXy > 6o/hD2JspOHCzZO6uK5X1pRQyBFnRt2PgZ6oMWCi4h7/mMNQRAAqcR1V > hFmBnYEPQuk3Twiq6geHdP3aq0FxvHnUqHXczVPz2BAf6bV4sl2XRjxP > EEtmSRRAkkT8YTNOlKytU8V5bnjAMqeh3nkIHvugdJzDwrkODhrIsLKo 3ywe/A== > > ;; Query time: 7 msec > ;; SERVER: 194.171.17.10#53(194.171.17.10) > ;; WHEN: Wed May 20 12:25:14 2015 > ;; MSG SIZE rcvd: 745 > > Hope that helps. >
As I mentioned, I'm no expert so I forgot to add: The DS is signed by the parent, so that is why the DS-query did work. As we can see, no RRSIG-record on your domain, my guess would be the transfered domain isn't properly signed before it's transfered: $ dig +dnssec +norec @ns1.desec.io desec.io DNSKEY ; <<>> DiG 9.8.1-P1 <<>> +dnssec +norec @ns1.desec.io desec.io DNSKEY ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41947 ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 2800 ;; QUESTION SECTION: ;desec.io. IN DNSKEY ;; ANSWER SECTION: desec.io. 3600 IN DNSKEY 257 3 8 AwEAAcw5QLr0IjC0wKbGoBPQv4qmeqHy9mvL5qGQTuaG5TSrNqEAR6b/ qvxDx6my4JmEmjUPA1JeEI9YfTUieMr2UZflu7aIbZFLw0vqiYrywCGr CHXLalOrEOmrvAxLvq4vHtuTlH7JIszzYBSes8g1vle6KG7xXiP3U5Ll 96Qiu6bZ31rlMQSPB20xbqJJh6psNSrQs41QvdcXAej+K2Hl1Wd8kPri ec4AgiBEh8sk5Pp8W9ROLQ7PcbqqttFaW2m7N/Wy4qcFU13roWKDEAst bxH5CHPoBfZSbIwK4KM6BK/uDHpSPIbiOvOCW+lvu9TAiZPc0oysY6as lO7jXv16Gws= desec.io. 3600 IN DNSKEY 256 3 8 AwEAAday3UX323uVzQqtOMQ7EHQYfD5Ofv4akjQGN2zY5AgB/2jmdR/+ 1PvXFqzKCAGJv4wjABEBNWLLFm7ew1hHMDZEKVL17aml0EBKI6Dsz6Mx t6n7ScvLtHaFRKaxT4i2JxiuVhKdQR9XGMiWAPQKrRM5SLG0P+2F+TLK l3D0L/cD ;; Query time: 85 msec ;; SERVER: 54.88.76.245#53(54.88.76.245) ;; WHEN: Wed May 20 12:30:26 2015 ;; MSG SIZE rcvd: 461 I would try the same query on the hidden master first. > > Thanks a lot for your help, > > Peter > > -- > > OpenPGP Key: 0x3EF22D2F > > > > > _______________________________________________ > Pdns-users mailing list > [email protected] > http://mailman.powerdns.com/mailman/listinfo/pdns-users _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
