Re: inconsistency dnssec debuguers response and writing conseil for new areas zone
On 2011-03-01 21:00, Torinthiel wrote: On 03/01/11 20:17, fakessh @ wrote: And about OVH - I don't know if it's related, but I've asked Polish OVH how about providing DNSSEC, as .pl is planned to be signed mid-year, and they've answered me they will probably be ready. This might, or might not be related to providing DNSSEC by other OVH branches and for other registries. I asked this to OVH.fr somewhere around October 2010. They answered that they were working on it and it would be available soon. I re-asked it mid Februari 2010 to OVH.nl. They answered that it's on their roadmap but they don't have a timing yet... They only could provide me with this forum link: http://forum.ovh.nl/showthread.php?t=963 Greets ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: inconsistency dnssec debuguers response and writing conseil for new areas zone
Le mardi 01 mars 2011 à 09:34 +0100, Laurent Bauer a écrit : On 28/02/2011 23:35, fakessh @ wrote: This is not handled yet. The .FR zone has been signed since september 2010, but submitting DS for child zones will be supported later this year. See http://operations.afnic.fr for more information. thank you for taking the trouble to answer me. I therefore rest with my chain of security provided by isc dlv and wait for the DS flag a chance to insert later. but I wonder one thing I'm not a registar I am a passionate individual, how I'm going to do later for the flag for my DS .eu domain and .fr? I do not know and still do not understand how You will have to ask your registrar to submit the DS to the parent zone, just as you have to ask your registrar my registrar OVH not implement dnssec for yet when you want to change the NS for your zone. i use other dns secondary that does not come from ovh use isc dlv If they are already implementing DNSSEC, ask them what you are supposed to provide (the KSK or the DS only) ; for the submission in isc dlv we have their key to submit and we get a new text record it is easy to initiate I guess there must be a FAQ not FAQ to explicite for implement a DS record somewhere on the control panel. is the repeat isc dlv seems to accept the flag DS in my case i have to a file dsset-fakessh.eu but the file contains two keys DS and i don't know which to use Eurid is already ready for DS submission, so you will be able to complete the whole chain of trust for your .eu domain, if your registrar is DNSSEC ready. Laurent ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: inconsistency dnssec debuguers response and writing conseil for new areas zone
On 03/01/11 20:17, fakessh @ wrote: is the repeat isc dlv seems to accept the flag DS in my case i have to a file dsset-fakessh.eu but the file contains two keys DS and i don't know which to use The DS you have are both for the same key, only one is SHA1 and other SHA256. You could try any of them, but see below. ISC DLV accepts keys, you have to create an account, add your zone and keys for it. I remember having some trouble trying to add DS records, but DNSKEY worked fine. Of course the zone has to be signed using that key, and ISC asks you to add a TXT record at dlv.your.zone (or something similar) to prove your ability to modify the zone. The procedure is simple and well defined. And about OVH - I don't know if it's related, but I've asked Polish OVH how about providing DNSSEC, as .pl is planned to be signed mid-year, and they've answered me they will probably be ready. This might, or might not be related to providing DNSSEC by other OVH branches and for other registries. Torinthiel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: inconsistency dnssec debuguers response and writing conseil for new areas zone
as I now know what key DS uses. I logged into my account and I moved isc dlv record SHA1 DS, and I thought to receive a new record or something like that. well no reply from the ISC is : A corresponding DNSKEY already exists for this record. All comments are welcome to help me find a solution nb : I publish on my blog a little article on dnssec http://fakessh.eu/2011/02/16/faire-marcher-dnssec-sur-son-serveur/ Le mardi 01 mars 2011 à 21:00 +0100, Torinthiel a écrit : On 03/01/11 20:17, fakessh @ wrote: is the repeat isc dlv seems to accept the flag DS in my case i have to a file dsset-fakessh.eu but the file contains two keys DS and i don't know which to use The DS you have are both for the same key, only one is SHA1 and other SHA256. You could try any of them, but see below. ISC DLV accepts keys, you have to create an account, add your zone and keys for it. I remember having some trouble trying to add DS records, but DNSKEY worked fine. Of course the zone has to be signed using that key, and ISC asks you to add a TXT record at dlv.your.zone (or something similar) to prove your ability to modify the zone. The procedure is simple and well defined. And about OVH - I don't know if it's related, but I've asked Polish OVH how about providing DNSSEC, as .pl is planned to be signed mid-year, and they've answered me they will probably be ready. This might, or might not be related to providing DNSSEC by other OVH branches and for other registries. Torinthiel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: inconsistency dnssec debuguers response and writing conseil for new areas zone
In message 1299012754.7.430.camel@localhost.localdomain, fakessh @ writ es: as I now know what key DS uses. I logged into my account and I moved isc dlv record SHA1 DS, and I thought to receive a new record or something like that. well no reply from the ISC is : A corresponding DNSKEY already exists for this record. Because there are already DLV records for the key in the DLV. ;; ANSWER SECTION: fakessh.eu.dlv.isc.org. 3529IN DLV 47103 3 2 68096942650C1DD89D5BE43A9EEA05BA9C20F09EDC55309F4F1CD348 4D8ED07B fakessh.eu.dlv.isc.org. 3529IN DLV 47103 3 1 CFEA04C5B918359273D6BAC07AE7F2DF5225E357 And the zone itself validates (ad=1). ; DiG 9.6.0-APPLE-P2 fakessh.eu soa +adflag ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 4080 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;fakessh.eu.IN SOA ;; ANSWER SECTION: fakessh.eu. 38400 IN SOA r13151.ovh.net. postmaster.fakessh.eu. 2011022802 10800 3600 604800 38400 ;; Query time: 2521 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Mar 2 08:45:13 2011 ;; MSG SIZE rcvd: 89 All comments are welcome to help me find a solution nb : I publish on my blog a little article on dnssec http://fakessh.eu/2011/02/16/faire-marcher-dnssec-sur-son-serveur/ Le mardi 01 mars 2011 =C3=A0 21:00 +0100, Torinthiel a =C3=A9crit : On 03/01/11 20:17, fakessh @ wrote: is the repeat isc dlv seems to accept the flag DS in my case i have to a file dsset-fakessh.eu but the file contains two keys DS and i don't know which to use The DS you have are both for the same key, only one is SHA1 and other SHA256. You could try any of them, but see below. ISC DLV accepts keys, you have to create an account, add your zone and keys for it. I remember having some trouble trying to add DS records, but DNSKEY worked fine. Of course the zone has to be signed using that key, and ISC asks you to add a TXT record at dlv.your.zone (or something similar) to prove your ability to modify the zone. The procedure is simple and well defined. And about OVH - I don't know if it's related, but I've asked Polish OVH how about providing DNSSEC, as .pl is planned to be signed mid-year, and they've answered me they will probably be ready. This might, or might not be related to providing DNSSEC by other OVH branches and for other registries. Torinthiel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=3Dgetsearch=3D0x092164A7 --=-hAV62QMSnDEL5t7IF2op Content-Type: application/pgp-signature; name=signature.asc Content-Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?= -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQBNbVyStXI/OwkhZKcRApHLAJ9mpVDpLbdoXNJE2HWrZtEMP5nkOQCfQHxF OWD+2cnsCQvmY1sJsLmpZoA= =3tB9 -END PGP SIGNATURE- --=-hAV62QMSnDEL5t7IF2op-- --===8423262514623441036== Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users --===8423262514623441036==-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: inconsistency dnssec debuguers response and writing conseil for new areas zone
Den 28. feb. 2011 kl. 17.46 skrev fakessh @: for example the test shows me some time http://dnssec-debugger.verisignlabs.com/nicolaspichot.fr the results are not consistent with my expectations Well, I see a few different errors for that domain: I don't see any DS records for your domain when I query the fr. nameservers. I don't know how it's handled in that TLD but I guess you somehow need to tell your registrar about your KSK, so they can put in the correct DS record. The delegation of your domain looks a bit odd, the fr. nameservers claims you have: - ns0.xname.org - ns1.xname.org - ns1.novacrea.fr - r13151.ovh.net ...but if I query any of these, I'm told there's also ns2.xname.org At the moment, ns1.xname.org gives an older version of the zone, with a serial number 2011021401 Check the list of errors on http://dnsviz.net/d/nicolaspichot.fr/dnssec/ especially about missing key 12961. -- Regards Eivind Olsen eiv...@aminor.no ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: inconsistency dnssec debuguers response and writing conseil for new areas zone
Le lundi 28 février 2011 à 20:14 +0100, Laurent Bauer a écrit : Eivind Olsen wrote: Well, I see a few different errors for that domain: I don't see any DS records for your domain when I query the fr. nameservers. I don't know how it's handled in that TLD but I guess you somehow need to tell your registrar about your KSK, so they can put in the correct DS record. This is not handled yet. The .FR zone has been signed since september 2010, but submitting DS for child zones will be supported later this year. See http://operations.afnic.fr for more information. thank you for taking the trouble to answer me. I therefore rest with my chain of security provided by isc dlv and wait for the DS flag a chance to insert later. but I wonder one thing I'm not a registar I am a passionate individual, how I'm going to do later for the flag for my DS .eu domain and .fr? I do not know and still do not understand how Laurent ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
