Re: Problem with DNSSEC signing zone
Hello Thierry SAMEN, On Fri, 20 Jul 2012, William Thierry SAMEN wrote: Hi all Bind users, i just have a problem with my zone signing output i made all the steps to obtain a good result. 1. Generated KSK and ZSK 2. Add both of keys at the end of my zone file 3. signing my zone with dnssec-signzone command 4. enable dnssec in named options 5. change the name of my zone in the named by namezone.signed 6. I got the root DNSKEY RR set before with dig command and redirect the outpout in root-dnskey file 7. I turned the DNSKEY into DS RR set also, with dnssec-dsfromkey command. Did you send the DS RR to the operator of the parent zone, and did you wait for the DS record to appear in the parent zone? To see an AD flag, you need to send the query towards a caching DNSSEC validating server that is _not_ the same server that is hosting the zone (see http://strotmann.de/roller/dnsworkshop/entry/dns_name_resolution_design_for ). The chain of trust from the trust-anchor of the caching validating DNS server until the signatures in the zone must be complete, including the DS record for your zone which must be hosted in the parent zone (co.uk.). Please also make sure that the serial number in the SOA record on the authoritative server is the same number that you see in the signed zone file. Do not forget to increment the SOA serial before or during the signing process ( dnssec-signzone -N INCREMENT ... ). I cannot test your domain from here, it seems the domain is not delegated (I'm seeing an NXDOMAIN from co.uk.). csmobile :: ~ » drill -k root.key -SD willzik.co.uk ;; Number of trusted keys: 1 ;; Chasing: willzik.co.uk. A DNSSEC Trust tree: willzik.co.uk. (A) |---Existence is denied by: |---G9F1KIIHM8M9VHJK7LRVETBQCEOGJIQP.co.uk. (NSEC3) |---Existence is denied by: |---QLR2IB6LOCI8AIL6L2NH50RQV809BNEG.co.uk. (NSEC3) |---Existence is denied by: |---22SDTUJH764RHEGKI5GU51QAU3T7947V.co.uk. (NSEC3) No trusted keys found in tree: first error was: No DNSSEC public key(s) ;; Chase failed. (the negative answer here is not DNSSEC validated, but that is another issue). Best regards Carsten Strotmann ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Problem with DNSSEC signing zone
1. Generated KSK and ZSK 2.Add both of keys at the end of my zone file 3.signing my zone with dnssec-signzone command 4.enable dnssec in named options 5.change the name of my zone in the named by namezone.signed 6.I got the root DNSKEY RR set before with dig command and redirect the outpout in root-dnskey file 7.I turned the DNSKEY into DS RR set also, with dnssec-dsfromkey command. Also consider simplifying the process as follows: 1. Generate KSK and ZSK, setting timing metadata so that they are published and active. See dnssec-keygen and dnssec-settime. 2. Place the key files in a key directory on your server. 3. Add to your zone configuration: key directory path to key files; auto-dnssec maintain; 4. Generate DS records and provide them to your registrar. Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with DNSSEC signing zone
On Fri, Jul 20, 2012 at 2:52 AM, William Thierry SAMEN thierry.sa...@gmail.com wrote: i just have a problem with my zone signing output i made all the steps to obtain a good result. ... my zone name is *willzik.co.uk* ** I'm getting an NXDOMAIN response from the co.uk servers, rather than a delegation referral: $ dig @nsa.nic.uk willzik.co.uk | grep status ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 63301 It appears that you don't have delegation (NS) records in co.uk for willzik.co.uk. Casey ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Problem with DNSSEC signing zone
all this step has been well done, but the last step: Generate DS records and provide them to your registrar. has not been fluent for me. I found how can i provide key to the registrar i used this command: dnssec-dsfromkey -2 Kwillzik.co.uk KSK.key is it the good way to do? That command will generate the DS record for you. The procedure for getting the DS record into the parent zone, co.uk in this case, depends on your DNS registrar. For example, I use GoDaddy.com, and on their domain management website, there is a Manage DS records page where you can paste in the key digest and certain other information. Not all registrars support DNSSEC DS record management, so you may have to transfer your domain to one who does. See http://www.icann.org/en/news/in-focus/dnssec/deployment for a list. Please tell me how can i bring down this matter and have my AD flag when i made my dig. The key point to recognize, as stated previously in Carsten Strotmann's post, is that you have to query a DNSSEC-enabled recursive resolver to possibly get an AD flag returned. Your own authoritative name server will never return an AD flag. See https://www.dns-oarc.net/oarc/services/odvr for one that is available publicly. Also you can test your zone at http://dnsviz.net to see if there are any missing links in your chain of trust from the DNS root. Best Regards, Jeff. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with DNSSEC signing zone
On 07/20/2012 07:05, Casey Deccio wrote: On Fri, Jul 20, 2012 at 2:52 AM, William Thierry SAMEN thierry.sa...@gmail.com mailto:thierry.sa...@gmail.com wrote: i just have a problem with my zone signing output i made all the steps to obtain a good result. ... my zone name is *willzik.co.uk http://willzik.co.uk* ** I'm getting an NXDOMAIN response from the co.uk http://co.uk servers, rather than a delegation referral: That domain isn't registered. -- If you're never wrong, you're not trying hard enough ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users