DNSSEC / DLV for 2001:8b0:151:1:e2cb:4eff:fe26:6481
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm DNSSEC enabling the .ip6.arpa zone for my IPv6 allocation and registering it with dlv.isc.org. Using bind-9.7.0-p2 dnssec tools. Everything seems to be working well, but when I test using the Sandia Labs dnsviz.net tool I get inconsistent results. My mail, etc. server on 2001:8b0:151:1:e2cb:4eff:fe26:6481 appears as 'bogus' http://dnsviz.net/d/1.8.4.6.6.2.e.f.f.f.e.4.b.c.2.e.1.0.0.0.1.5.1.0.0.b.8.0.1.0.0.2.ip6.arpa/dnssec/ Yet my personal laptop on 2001:8b0:151:1:fa1e:dfff:feda:c0bb is all good: http://dnsviz.net/d/b.b.0.c.a.d.e.f.f.f.f.d.e.1.a.f.1.0.0.0.1.5.1.0.0.b.8.0.1.0.0.2.ip6.arpa/dnssec/ What am I doing wrong? Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwGWkEACgkQ8Mjk52CukIyFlwCgiaFHI4yzaZBNreBCo3RUCh93 0pUAn0nzjDwmNv+c4OKNoQmHD1ueQS7v =Ncbf -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC / DLV for 2001:8b0:151:1:e2cb:4eff:fe26:6481
On Jun 2 2010, Matthew Seaman wrote: I'm DNSSEC enabling the .ip6.arpa zone for my IPv6 allocation and registering it with dlv.isc.org. Using bind-9.7.0-p2 dnssec tools. Everything seems to be working well, but when I test using the Sandia Labs dnsviz.net tool I get inconsistent results. My mail, etc. server on 2001:8b0:151:1:e2cb:4eff:fe26:6481 appears as 'bogus' http://dnsviz.net/d/1.8.4.6.6.2.e.f.f.f.e.4.b.c.2.e.1.0.0.0.1.5.1.0.0.b.8.0.1.0.0.2.ip6.arpa/dnssec/ Yet my personal laptop on 2001:8b0:151:1:fa1e:dfff:feda:c0bb is all good: http://dnsviz.net/d/b.b.0.c.a.d.e.f.f.f.f.d.e.1.a.f.1.0.0.0.1.5.1.0.0.b.8.0.1.0.0.2.ip6.arpa/dnssec/ What am I doing wrong? Nothing that I can see. Maybe dnsviz can't cope with multiple PTR records in an RRset, as your first case has? (On the other hand it handles multiple A records in forward zones OK.) -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC / DLV for 2001:8b0:151:1:e2cb:4eff:fe26:6481
On Wed, Jun 2, 2010 at 8:40 AM, Paul Vixie vi...@isc.org wrote: Chris Thompson c...@cam.ac.uk writes: Nothing that I can see. Maybe dnsviz can't cope with multiple PTR records in an RRset, as your first case has? (On the other hand it handles multiple A records in forward zones OK.) to be fair, multiple PTR RRs is something we added in BIND gethostbyaddr() in more or less direct contravention to RFC 1034. if dnsviz doesn't handle it (and i don't know if it doesn't) then it's not dnsviz's fault at all since the DNS RFC's say that there will only be one PTR RR at an in-addr. Not to take this off topic, but RFC 2181 (sec 10.2) clarifies that a PTR RRset *may* have multiple RRs, but each must point to a canonical name, as opposed to an alias. That being said, DNSViz is intended to consider multiple RRs in the PTR RRset, but I'm still trying to track down the issue that is causing it to report a bogus signature. I'll report back when I have an answer. Regards, Casey ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC / DLV for 2001:8b0:151:1:e2cb:4eff:fe26:6481
On Wed, Jun 2, 2010 at 7:44 AM, Chris Thompson c...@cam.ac.uk wrote: On Jun 2 2010, Matthew Seaman wrote: I'm DNSSEC enabling the .ip6.arpa zone for my IPv6 allocation and registering it with dlv.isc.org. Using bind-9.7.0-p2 dnssec tools. Everything seems to be working well, but when I test using the Sandia Labs dnsviz.net tool I get inconsistent results. My mail, etc. server on 2001:8b0:151:1:e2cb:4eff:fe26:6481 appears as 'bogus' http://dnsviz.net/d/1.8.4.6.6.2.e.f.f.f.e.4.b.c.2.e.1.0.0.0.1.5.1.0.0.b.8.0.1.0.0.2.ip6.arpa/dnssec/ Yet my personal laptop on 2001:8b0:151:1:fa1e:dfff:feda:c0bb is all good: http://dnsviz.net/d/b.b.0.c.a.d.e.f.f.f.f.d.e.1.a.f.1.0.0.0.1.5.1.0.0.b.8.0.1.0.0.2.ip6.arpa/dnssec/ What am I doing wrong? Nothing that I can see. Maybe dnsviz can't cope with multiple PTR records in an RRset, as your first case has? (On the other hand it handles multiple A records in forward zones OK.) This has been fixed. The problem had to do with establishing a canonical ordering of RRs within an RRset for the purposes of verifying an RRSIG. dnspython's default comparison operators don't follow canonical ordering from RFC 4034, so I had to make some provisions to order properly. This didn't affect A RRsets with multiple RRs because the order of A-type rdata was the same using both orderings. Thanks for bringing this to my attention. Regards, Casey ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC / DLV for 2001:8b0:151:1:e2cb:4eff:fe26:6481
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/06/2010 18:49:44, Casey Deccio wrote: This has been fixed. The problem had to do with establishing a canonical ordering of RRs within an RRset for the purposes of verifying an RRSIG. dnspython's default comparison operators don't follow canonical ordering from RFC 4034, so I had to make some provisions to order properly. This didn't affect A RRsets with multiple RRs because the order of A-type rdata was the same using both orderings. Thanks for bringing this to my attention. Excellent. Thank you very much indeed -- I'm glad to have been of service. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwGoNIACgkQ8Mjk52CukIzVVwCfTOVmg0meReYFd389TP1D+D96 25EAnRFSXO7JIcaGic1ME49upIkPq+lR =VZlY -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users