Re: problem for validate the script dnssec to isc dlv
dns appear as my syncro. yet I'm still at the same point missing keys Your delegation for the domain fakessh.eu doesn't seem to be 100% correct yet though. If I ask the nameservers for .eu (like p.nic.eu) it tells me your domain belongs to 4 nameservers: ns0.xname.org ns1.xname.org ns1.novacrea.fr r13151.ovh.net If I ask the first one on that list, ns0.xname.org, it tells me you only have 3 nameservers: ns1.xname.org ns1.novacrea.fra r13151.ovh.net If I try to get a reply from ns1.xname.org it just goes into timeout here: [eivind@vimes ~]$ dig +dnssec ns fakessh.eu @ns1.xname.org ; DiG 9.6.-ESV-R3 +dnssec ns fakessh.eu @ns1.xname.org ;; global options: +cmd ;; connection timed out; no servers could be reached [eivind@vimes ~]$ If I try to get a reply from r13151.ovh.net I just get a servfail: [eivind@vimes ~]$ dig +dnssec ns fakessh.eu @r13151.ovh.net ; DiG 9.6.-ESV-R3 +dnssec ns fakessh.eu @r13151.ovh.net ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 53023 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;fakessh.eu.IN NS ;; Query time: 55 msec ;; SERVER: 87.98.186.232#53(87.98.186.232) ;; WHEN: Mon Mar 28 10:02:33 2011 ;; MSG SIZE rcvd: 39 Regards Eivind Olsen eiv...@aminor.no ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem for validate the script dnssec to isc dlv
it is, I'm coming I do not understand the need to recreate and validate the file keyset-en ... I then recreate a good record with the key in this file and my past signatures are good. I did not understand correctly the operation of dlv keyset files and I recreated downgrade bind to the stable version 9.3 of CentOS 5.5 and using webmin. can you give me the command to use to create files Keyset I did not find any documentation regarding the creation of this type of file I will update my blog more precisely with the new guidelines thanks for your good support thanks mark andrews thanks Torinthiel thanks eivind olsen thanks evan hunt thanks dan mahoney thanks michel graff Le lundi 28 mars 2011 à 10:04 +0200, Eivind Olsen a écrit : dns appear as my syncro. yet I'm still at the same point missing keys Your delegation for the domain fakessh.eu doesn't seem to be 100% correct yet though. If I ask the nameservers for .eu (like p.nic.eu) it tells me your domain belongs to 4 nameservers: ns0.xname.org ns1.xname.org ns1.novacrea.fr r13151.ovh.net If I ask the first one on that list, ns0.xname.org, it tells me you only have 3 nameservers: ns1.xname.org ns1.novacrea.fra r13151.ovh.net If I try to get a reply from ns1.xname.org it just goes into timeout here: [eivind@vimes ~]$ dig +dnssec ns fakessh.eu @ns1.xname.org ; DiG 9.6.-ESV-R3 +dnssec ns fakessh.eu @ns1.xname.org ;; global options: +cmd ;; connection timed out; no servers could be reached [eivind@vimes ~]$ If I try to get a reply from r13151.ovh.net I just get a servfail: [eivind@vimes ~]$ dig +dnssec ns fakessh.eu @r13151.ovh.net ; DiG 9.6.-ESV-R3 +dnssec ns fakessh.eu @r13151.ovh.net ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 53023 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;fakessh.eu.IN NS ;; Query time: 55 msec ;; SERVER: 87.98.186.232#53(87.98.186.232) ;; WHEN: Mon Mar 28 10:02:33 2011 ;; MSG SIZE rcvd: 39 Regards Eivind Olsen eiv...@aminor.no -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem for validate the script dnssec to isc dlv
i use the key BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE 1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+ jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73 Te9fZ2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucM TwFlgPe+jnGxPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7 mbBZVcOwIeU/Rw/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3x iRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh and the other key include in the tarvall of bind Le dimanche 27 mars 2011 à 14:59 +1100, Mark Andrews a écrit : Mark Andrews writes: In message 1301008426.12273.115.camel@localhost.localdomain, fakessh @ wr ites: it is 6 months since I used no worries dlv What keys do you have recorded with dlv.isc.org? Do they match what you currently have in the zone? You did not answer these questions. Please answer these questions. -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem for validate the script dnssec to isc dlv
In message 1301241108.12273.192.camel@localhost.localdomain, fakessh @ writ es: i use the key BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE 1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+ jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73 Te9fZ2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucM TwFlgPe+jnGxPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7 mbBZVcOwIeU/Rw/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3x iRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh and the other key include in the tarvall of bind Submit the SEP key for fakessh.eu. fakessh.eu. 38356 IN DNSKEY 257 3 5 AwEAAaXxSyYC5WHJdozSpEX5foltzSpNYJZb78zJldfgHF8zseINQNQj xQp9SdxsM81n6xw68zuJtd0I2grxexvQ0N4SdwM70tifbZD0VTBr8vgr rMOwfP2tCTzI/3VqHpFl+JZEcbcJqX4HcYh+fH9s+ZwHgybJ9FeSzYmu CakqAfHn -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem for validate the script dnssec to isc dlv
in insurance I googled no result how to do this ... nb : i reajust my blog immediately Le lundi 28 mars 2011 à 03:43 +1100, Mark Andrews a écrit : In message 1301241108.12273.192.camel@localhost.localdomain, fakessh @ writ es: i use the key BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE 1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+ jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73 Te9fZ2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucM TwFlgPe+jnGxPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7 mbBZVcOwIeU/Rw/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3x iRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh and the other key include in the tarvall of bind Submit the SEP key for fakessh.eu. fakessh.eu. 38356 IN DNSKEY 257 3 5 AwEAAaXxSyYC5WHJdozSpEX5foltzSpNYJZb78zJldfgHF8zseINQNQj xQp9SdxsM81n6xw68zuJtd0I2grxexvQ0N4SdwM70tifbZD0VTBr8vgr rMOwfP2tCTzI/3VqHpFl+JZEcbcJqX4HcYh+fH9s+ZwHgybJ9FeSzYmu CakqAfHn -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem for validate the script dnssec to isc dlv
On 03/27/11 19:09, fakessh @ wrote: in insurance I googled no result how to do this ... The procedure is everywhere around the ISC site. See eg. http://www.isc.org/solutions/dlv https://dlv.isc.org/about/using my mail on 3rd jan, 21:00 in reply to yours (thread inconsistency dnssec debuguers response and writing conseil for new areas zone) Torinthiel signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem for validate the script dnssec to isc dlv
That would be the key with id 47103 in your case. The one that has SEP flag, the one that only signs DNSKEY records and not others. Regards, Torinthiel http://www.mail-archive.com/bind-users@lists.isc.org/msg09107.html This is your word i reread the thread to fevrier http://www.mail-archive.com/bind-users@lists.isc.org/msg09084.html Mark Andrews quote Because there are already DLV records for the key in the DLV. ;; ANSWER SECTION: fakessh.eu.dlv.isc.org. 3529IN DLV 47103 3 2 68096942650C1DD89D5BE43A9EEA05BA9C20F09EDC55309F4F1CD348 4D8ED07B fakessh.eu.dlv.isc.org. 3529IN DLV 47103 3 1 CFEA04C5B918359273D6BAC07AE7F2DF5225E357 here i am r13151 ~]# dig fakessh.eu.dlv.isc.org @8.8.8.8 ; DiG 9.7.3-RedHat-9.7.3-1.el5 fakessh.eu.dlv.isc.org @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 21853 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;fakessh.eu.dlv.isc.org.IN A ;; AUTHORITY SECTION: dlv.isc.org.1695IN SOA ns-int.isc.org. hostmaster.isc.org. 2011032703 7200 3600 2419200 3600 ;; Query time: 20 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Mar 27 20:34:49 2011 ;; MSG SIZE rcvd: 94 [root@r13151 ~]# r13151 ~]# dig fakessh.eu.dlv.isc.org ; DiG 9.7.3-RedHat-9.7.3-1.el5 fakessh.eu.dlv.isc.org ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 19904 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;fakessh.eu.dlv.isc.org.IN A ;; Query time: 4 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Mar 27 20:35:15 2011 ;; MSG SIZE rcvd: 40 it seems there is no deposit in dlv isc but I can not validate my own I have the answer about the DS field. ovh do not want to do and they say RTFM and desmerdevous and i requote how to do this ... the SEP record Le dimanche 27 mars 2011 à 20:08 +0200, Torinthiel a écrit : On 03/27/11 19:09, fakessh @ wrote: in insurance I googled no result how to do this ... The procedure is everywhere around the ISC site. See eg. http://www.isc.org/solutions/dlv https://dlv.isc.org/about/using my mail on 3rd jan, 21:00 in reply to yours (thread inconsistency dnssec debuguers response and writingconseil for new areas zone) Torinthiel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem for validate the script dnssec to isc dlv
On 03/27/11 20:45, fakessh @ wrote: That would be the key with id 47103 in your case. The one that has SEP flag, the one that only signs DNSKEY records and not others. Regards, Torinthiel http://www.mail-archive.com/bind-users@lists.isc.org/msg09107.html This is your word i reread the thread to fevrier http://www.mail-archive.com/bind-users@lists.isc.org/msg09084.html Mark Andrews quote Because there are already DLV records for the key in the DLV. ;; ANSWER SECTION: fakessh.eu.dlv.isc.org. 3529IN DLV 47103 3 2 68096942650C1DD89D5BE43A9EEA05BA9C20F09EDC55309F4F1CD348 4D8ED07B fakessh.eu.dlv.isc.org. 3529IN DLV 47103 3 1 CFEA04C5B918359273D6BAC07AE7F2DF5225E357 here i am Ok. Now, reread the current thread. At least three people in this thread only have identified and pinpointed the problem. Two of your nameservers, ns0.xname.org and ns2.xname.org do not support DNSSec right now. Unless you do something about this, possibilities include fixing them or dropping them from your authoritative servers, there's nothing anyone can help you. Your zone is NOT DNSSec enabled, and ISC's DLV registry correctly refuses to list it's keys. If you don't trust us, please go to http://dnsviz.net/d/fakessh.eu/dnssec/ or http://secspider.cs.ucla.edu/fakessh-eu--zone.html, probably your account in dlv.isc.org or any DNSSec debugger of your choice. I've really assumed that you've fixed issues that were pointed numerous times before asking for next steps. Torinthiel signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem for validate the script dnssec to isc dlv
I removed the dns that does not support dnssec Now it is necessary to wait a day or two Le dimanche 27 mars 2011 à 20:58 +0200, Torinthiel a écrit : On 03/27/11 20:45, fakessh @ wrote: That would be the key with id 47103 in your case. The one that has SEP flag, the one that only signs DNSKEY records and not others. Regards, Torinthiel http://www.mail-archive.com/bind-users@lists.isc.org/msg09107.html This is your word i reread the thread to fevrier http://www.mail-archive.com/bind-users@lists.isc.org/msg09084.html Mark Andrews quote Because there are already DLV records for the key in the DLV. ;; ANSWER SECTION: fakessh.eu.dlv.isc.org. 3529IN DLV 47103 3 2 68096942650C1DD89D5BE43A9EEA05BA9C20F09EDC55309F4F1CD348 4D8ED07B fakessh.eu.dlv.isc.org. 3529IN DLV 47103 3 1 CFEA04C5B918359273D6BAC07AE7F2DF5225E357 here i am Ok. Now, reread the current thread. At least three people in this thread only have identified and pinpointed the problem. Two of your nameservers, ns0.xname.org and ns2.xname.org do not support DNSSec right now. Unless you do something about this, possibilities include fixing them or dropping them from your authoritative servers, there's nothing anyone can help you. Your zone is NOT DNSSec enabled, and ISC's DLV registry correctly refuses to list it's keys. If you don't trust us, please go to http://dnsviz.net/d/fakessh.eu/dnssec/ or http://secspider.cs.ucla.edu/fakessh-eu--zone.html, probably your account in dlv.isc.org or any DNSSec debugger of your choice. I've really assumed that you've fixed issues that were pointed numerous times before asking for next steps. Torinthiel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem for validate the script dnssec to isc dlv
dns appear as my syncro. yet I'm still at the same point missing keys Le lundi 28 mars 2011 à 00:45 +0200, fakessh @ a écrit : I removed the dns that does not support dnssec Now it is necessary to wait a day or two Le dimanche 27 mars 2011 à 20:58 +0200, Torinthiel a écrit : On 03/27/11 20:45, fakessh @ wrote: That would be the key with id 47103 in your case. The one that has SEP flag, the one that only signs DNSKEY records and not others. Regards, Torinthiel http://www.mail-archive.com/bind-users@lists.isc.org/msg09107.html This is your word i reread the thread to fevrier http://www.mail-archive.com/bind-users@lists.isc.org/msg09084.html Mark Andrews quote Because there are already DLV records for the key in the DLV. ;; ANSWER SECTION: fakessh.eu.dlv.isc.org. 3529IN DLV 47103 3 2 68096942650C1DD89D5BE43A9EEA05BA9C20F09EDC55309F4F1CD348 4D8ED07B fakessh.eu.dlv.isc.org. 3529IN DLV 47103 3 1 CFEA04C5B918359273D6BAC07AE7F2DF5225E357 here i am Ok. Now, reread the current thread. At least three people in this thread only have identified and pinpointed the problem. Two of your nameservers, ns0.xname.org and ns2.xname.org do not support DNSSec right now. Unless you do something about this, possibilities include fixing them or dropping them from your authoritative servers, there's nothing anyone can help you. Your zone is NOT DNSSec enabled, and ISC's DLV registry correctly refuses to list it's keys. If you don't trust us, please go to http://dnsviz.net/d/fakessh.eu/dnssec/ or http://secspider.cs.ucla.edu/fakessh-eu--zone.html, probably your account in dlv.isc.org or any DNSSec debugger of your choice. I've really assumed that you've fixed issues that were pointed numerous times before asking for next steps. Torinthiel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem for validate the script dnssec to isc dlv
In message 1301245765.12273.198.camel@localhost.localdomain, fakessh @ writes: in insurance I googled no result how to do this ... https://dlv.isc.org Click on Login. Enter you user name and password. You should see fakessh.eu in the table of zones. Click on (add) under Keys for fakessh.eu. Cut and paste the entire record from below into the field under Add Record. To get rid of a old record. After logging in click on (details) for the zone you want to remove the record from. Find the record you want to delete and click on (details). In status click on (delete record). Mark nb : i reajust my blog immediately Le lundi 28 mars 2011 =C3=A0 03:43 +1100, Mark Andrews a =C3=A9crit : In message 1301241108.12273.192.camel@localhost.localdomain, fakessh @= writ es: i use the key BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE 1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+ jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73 Te9fZ2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucM TwFlgPe+jnGxPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7 mbBZVcOwIeU/Rw/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3x iRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh =20 and the other key include in the tarvall of bind =20 Submit the SEP key for fakessh.eu. =20 fakessh.eu. 38356 IN DNSKEY 257 3 5 AwEAAaXxSyYC5WHJdozSpEX5foltzSpNYJZb= 78zJldfgHF8zseINQNQj xQp9SdxsM81n6xw68zuJtd0I2grxexvQ0N4SdwM70tifbZD0VTBr8v= gr rMOwfP2tCTzI/3VqHpFl+JZEcbcJqX4HcYh+fH9s+ZwHgybJ9FeSzYmu CakqAfHn =20 =20 --=20 gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=3Dgetsearch=3D0x092164A7 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem for validate the script dnssec to isc dlv
Mark Andrews writes: In message 1301008426.12273.115.camel@localhost.localdomain, fakessh @ wr ites: it is 6 months since I used no worries dlv What keys do you have recorded with dlv.isc.org? Do they match what you currently have in the zone? You did not answer these questions. Please answer these questions. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
problem for validate the script dnssec to isc dlv
hi bind //guru/ hi isc guru hi mark andrews hi michel graff despite my efforts to validate isc dlv. I'm always at the same point I can not validate the keys. error below the script isc SUCCESS 94.23.59.30 answered DNSKEY query with rcode NOERROR 3.345:SUCCESS 87.98.186.232 answered DNSKEY query with rcode NOERROR 3.345:SUCCESS 87.98.164.164 answered DNSKEY query with rcode NOERROR 3.345:INFO Total answers: 3 3.346:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.186.232 3.347:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.164.164 3.347:SUCCESS All DNSKEY responses are identical. 3.353:DEBUG VERIFY-DNSKEY: Checking tag=41931 flags=256 alg=RSASHA1 AwEAAbjq...Na0iXShQfc= 3.353:DEBUG VERIFY-DNSKEY: Ignoring key. 3.353:DEBUG VERIFY-DNSKEY: Checking tag=27979 flags=257 alg=RSASHA1 AwEAAcNa...y1khCE+CdE= 3.353:DEBUG VERIFY-DNSKEY: Ignoring key. 3.353:INFO VERIFY-DNSKEY: 2 DNSKEYs found. 3.353:INFO VERIFY-DNSKEY: 0 keys found after filtering. 3.353:DEBUG VERIFY-DNSKEY: Using keys: 3.353:DEBUG VERIFY-DNSKEY: To verify rrset type DNSKEY 3.353:FAILURE VERIFY-DNSKEY: No keys found after filtering. 3.353:FAILURE DNSKEY signature did not validate. 3.353:FINAL_FAILURE FAILURE -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem for validate the script dnssec to isc dlv
In message 1300993213.12273.96.camel@localhost.localdomain, fakessh @ write s: hi bind //guru/ hi isc guru hi mark andrews hi michel graff There are no DLV records for fakessh.eu. See below. There are no DS records for fakessh.eu. See below. Two of the nameservers for your zone are not DNSSEC enabled. They do NOT return RRSIG records when asked for the DNSKEY records with DO=1. See below. You need to address these issues. Mark % dig fakessh.eu.dlv.isc.org dlv ; DiG 9.6.0-APPLE-P2 fakessh.eu.dlv.isc.org dlv ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 21760 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;fakessh.eu.dlv.isc.org.IN DLV ;; AUTHORITY SECTION: dlv.isc.org.2793IN SOA ns-int.isc.org. hostmaster.isc.org. 2011032404 7200 3600 2419200 3600 ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Mar 25 08:10:56 2011 ;; MSG SIZE rcvd: 94 % dig ds fakessh.eu ; DiG 9.6.0-APPLE-P2 ds fakessh.eu ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 20600 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;fakessh.eu.IN DS ;; AUTHORITY SECTION: eu. 600 IN SOA a.nic.eu. tech.eurid.eu. 1003425849 3600 1800 360 600 ;; Query time: 930 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Mar 25 08:13:44 2011 ;; MSG SIZE rcvd: 81 % dig +dnssec dnskey fakessh.eu @ns0.xname.org ; DiG 9.6.0-APPLE-P2 +dnssec dnskey fakessh.eu @ns0.xname.org ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 11804 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;fakessh.eu.IN DNSKEY ;; ANSWER SECTION: fakessh.eu. 38400 IN DNSKEY 256 3 5 AwEAAeFYV9JtqoHqpU8vpl+wMFOQjt77N5XgUcove5Apmjwqsx/awcbN Q2+H3hqeJ9f8NRSDUamSLFmvuUJTbDLDxpw9AlNjZNXQysxaQ//lNXKR P2nfrbqMvNnerzdPQ1eF2RqMf5XuOFv6+4UFz/rykszQcK6kH4qIWQ89 Ibk4eXc249MP31vUlgf3tiHyWyqQtD2JJpHY3HwDOYHhKR0Rilk= fakessh.eu. 38400 IN DNSKEY 257 3 5 AwEAAbj75OmR1A8gs1lda3OYTKaY+dy4jVBmflEk/c8g/JDw6UvAqWMz 9KtNIZvGt9E8JMSfaH6VZLY0mWFfCkn7o38= ;; AUTHORITY SECTION: fakessh.eu. 38400 IN NS r13151.ovh.net. fakessh.eu. 38400 IN NS ns0.xname.org. fakessh.eu. 38400 IN NS ns1.xname.org. fakessh.eu. 38400 IN NS ns1.novacrea.fr. fakessh.eu. 38400 IN NS ns2.xname.org. ;; ADDITIONAL SECTION: ns0.xname.org. 600 IN A 195.234.42.1 ns1.xname.org. 600 IN A 87.98.164.164 ns1.novacrea.fr.55352 IN A 94.23.59.30 ns2.xname.org. 600 IN A 88.191.64.64 ns2.xname.org. 600 IN 2a01:e0b:1:64:240:63ff:fee8:6155 ;; Query time: 391 msec ;; SERVER: 195.234.42.1#53(195.234.42.1) ;; WHEN: Fri Mar 25 08:19:34 2011 ;; MSG SIZE rcvd: 515 % despite my efforts to validate isc dlv. I'm always at the same point I can not validate the keys. error below the script isc SUCCESS 94.23.59.30 answered DNSKEY query with rcode NOERROR 3.345:SUCCESS 87.98.186.232 answered DNSKEY query with rcode NOERROR 3.345:SUCCESS 87.98.164.164 answered DNSKEY query with rcode NOERROR 3.345:INFO Total answers: 3 3.346:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.186.232 3.347:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.164.164 3.347:SUCCESS All DNSKEY responses are identical. 3.353:DEBUG VERIFY-DNSKEY: Checking tag=3D41931 flags=3D256 alg=3DRSASHA1 AwEAAbjq...Na0iXShQfc=3D 3.353:DEBUG VERIFY-DNSKEY: Ignoring key. 3.353:DEBUG VERIFY-DNSKEY: Checking tag=3D27979 flags=3D257 alg=3DRSASHA1 AwEAAcNa...y1khCE+CdE=3D 3.353:DEBUG VERIFY-DNSKEY: Ignoring key. 3.353:INFO VERIFY-DNSKEY: 2 DNSKEYs found. 3.353:INFO VERIFY-DNSKEY: 0 keys found after filtering. 3.353:DEBUG VERIFY-DNSKEY: Using keys: 3.353:DEBUG VERIFY-DNSKEY: To verify rrset type DNSKEY 3.353:FAILURE VERIFY-DNSKEY: No keys found after filtering. 3.353:FAILURE DNSKEY signature did not validate. 3.353:FINAL_FAILURE FAILURE --=20 gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=3Dgetsearch=3D0x092164A7 --=-z4QlW2bZGkH+0Mp+jCTf Content-Type: application/pgp-signature; name=signature.asc Content-Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?= -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQBNi5S9tXI/OwkhZKcRApwbAJ0U1bwNJxcqaQio8bGVIuAQkomMqgCfVbUn uZ2ojYfEyGYxmZu/F2xOJn8= =/8X8 -END PGP
Re: problem for validate the script dnssec to isc dlv
Le vendredi 25 mars 2011 à 08:24 +1100, Mark Andrews a écrit : In message 1300993213.12273.96.camel@localhost.localdomain, fakessh @ write s: hi bind //guru/ hi isc guru hi mark andrews hi michel graff There are no DLV records for fakessh.eu. See below. There are no DS records for fakessh.eu. See below. necessarily because I can not validate the key through via isc dlv Two of the nameservers for your zone are not DNSSEC enabled. They do NOT return RRSIG records when asked for the DNSKEY records with DO=1. See below. You need to address these issues. Mark % dig fakessh.eu.dlv.isc.org dlv ; DiG 9.6.0-APPLE-P2 fakessh.eu.dlv.isc.org dlv ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 21760 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;fakessh.eu.dlv.isc.org. IN DLV ;; AUTHORITY SECTION: dlv.isc.org. 2793IN SOA ns-int.isc.org. hostmaster.isc.org. 2011032404 7200 3600 2419200 3600 ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Mar 25 08:10:56 2011 ;; MSG SIZE rcvd: 94 % dig ds fakessh.eu ; DiG 9.6.0-APPLE-P2 ds fakessh.eu ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 20600 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;fakessh.eu. IN DS ;; AUTHORITY SECTION: eu. 600 IN SOA a.nic.eu. tech.eurid.eu. 1003425849 3600 1800 360 600 ;; Query time: 930 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Mar 25 08:13:44 2011 ;; MSG SIZE rcvd: 81 % dig +dnssec dnskey fakessh.eu @ns0.xname.org ; DiG 9.6.0-APPLE-P2 +dnssec dnskey fakessh.eu @ns0.xname.org ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 11804 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;fakessh.eu. IN DNSKEY ;; ANSWER SECTION: fakessh.eu. 38400 IN DNSKEY 256 3 5 AwEAAeFYV9JtqoHqpU8vpl+wMFOQjt77N5XgUcove5Apmjwqsx/awcbN Q2+H3hqeJ9f8NRSDUamSLFmvuUJTbDLDxpw9AlNjZNXQysxaQ//lNXKR P2nfrbqMvNnerzdPQ1eF2RqMf5XuOFv6+4UFz/rykszQcK6kH4qIWQ89 Ibk4eXc249MP31vUlgf3tiHyWyqQtD2JJpHY3HwDOYHhKR0Rilk= fakessh.eu. 38400 IN DNSKEY 257 3 5 AwEAAbj75OmR1A8gs1lda3OYTKaY+dy4jVBmflEk/c8g/JDw6UvAqWMz 9KtNIZvGt9E8JMSfaH6VZLY0mWFfCkn7o38= ;; AUTHORITY SECTION: fakessh.eu. 38400 IN NS r13151.ovh.net. fakessh.eu. 38400 IN NS ns0.xname.org. fakessh.eu. 38400 IN NS ns1.xname.org. fakessh.eu. 38400 IN NS ns1.novacrea.fr. fakessh.eu. 38400 IN NS ns2.xname.org. ;; ADDITIONAL SECTION: ns0.xname.org.600 IN A 195.234.42.1 ns1.xname.org.600 IN A 87.98.164.164 ns1.novacrea.fr. 55352 IN A 94.23.59.30 ns2.xname.org.600 IN A 88.191.64.64 ns2.xname.org.600 IN 2a01:e0b:1:64:240:63ff:fee8:6155 ;; Query time: 391 msec ;; SERVER: 195.234.42.1#53(195.234.42.1) ;; WHEN: Fri Mar 25 08:19:34 2011 ;; MSG SIZE rcvd: 515 % despite my efforts to validate isc dlv. I'm always at the same point I can not validate the keys. error below the script isc SUCCESS 94.23.59.30 answered DNSKEY query with rcode NOERROR 3.345:SUCCESS 87.98.186.232 answered DNSKEY query with rcode NOERROR 3.345:SUCCESS 87.98.164.164 answered DNSKEY query with rcode NOERROR 3.345:INFO Total answers: 3 3.346:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.186.232 3.347:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.164.164 3.347:SUCCESS All DNSKEY responses are identical. 3.353:DEBUG VERIFY-DNSKEY: Checking tag=3D41931 flags=3D256 alg=3DRSASHA1 AwEAAbjq...Na0iXShQfc=3D 3.353:DEBUG VERIFY-DNSKEY: Ignoring key. 3.353:DEBUG VERIFY-DNSKEY: Checking tag=3D27979 flags=3D257 alg=3DRSASHA1 AwEAAcNa...y1khCE+CdE=3D 3.353:DEBUG VERIFY-DNSKEY: Ignoring key. 3.353:INFO VERIFY-DNSKEY: 2 DNSKEYs found. 3.353:INFO VERIFY-DNSKEY: 0 keys found after filtering. 3.353:DEBUG VERIFY-DNSKEY: Using keys: 3.353:DEBUG VERIFY-DNSKEY: To verify rrset type DNSKEY 3.353:FAILURE VERIFY-DNSKEY: No keys found after filtering. 3.353:FAILURE DNSKEY signature did not validate. 3.353:FINAL_FAILURE FAILURE --=20 gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=3Dgetsearch=3D0x092164A7 --=-z4QlW2bZGkH+0Mp+jCTf Content-Type: application/pgp-signature; name=signature.asc Content-Description: Ceci est une
Re: problem for validate the script dnssec to isc dlv
In message 1301004136.12273.106.camel@localhost.localdomain, fakessh @ writes: Le vendredi 25 mars 2011 =C3=A0 08:24 +1100, Mark Andrews a =C3=A9crit : In message 1300993213.12273.96.camel@localhost.localdomain, fakessh @= write s: hi bind //guru/ hi isc guru hi mark andrews hi michel graff There are no DLV records for fakessh.eu. See below. There are no DS records for fakessh.eu. See below. necessarily because I can not validate the key through via isc dlv One of these is necessary. You have neither. Additionally the DS for fakessh.eu is the best long term solution as it will be used by more people. Mark Two of the nameservers for your zone are not DNSSEC enabled. They do NOT return RRSIG records when asked for the DNSKEY records with DO=1. See below. You need to address these issues. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem for validate the script dnssec to isc dlv
necessarily because I can not validate the key through via isc dlv Your zone isn't fully DNSSEC-capable yet; fix that first, then you can submit a DLV record into dlv.isc.org. ns0.xname.org and ns2.xname.org are giving bad answers; remove them from your NS RRset and things should start working better. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem for validate the script dnssec to isc dlv
everything worked just fine until I change the key rdnc. ns in my side and only ns1.novacrea.fr ns1.xname.org are valid for dnssec Le jeudi 24 mars 2011 à 23:02 +0100, fakessh @ a écrit : Le vendredi 25 mars 2011 à 08:24 +1100, Mark Andrews a écrit : In message 1300993213.12273.96.camel@localhost.localdomain, fakessh @ write s: hi bind //guru/ hi isc guru hi mark andrews hi michel graff There are no DLV records for fakessh.eu. See below. There are no DS records for fakessh.eu. See below. necessarily because I can not validate the key through via isc dlv Two of the nameservers for your zone are not DNSSEC enabled. They do NOT return RRSIG records when asked for the DNSKEY records with DO=1. See below. You need to address these issues. Mark % dig fakessh.eu.dlv.isc.org dlv ; DiG 9.6.0-APPLE-P2 fakessh.eu.dlv.isc.org dlv ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 21760 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;fakessh.eu.dlv.isc.org.IN DLV ;; AUTHORITY SECTION: dlv.isc.org.2793IN SOA ns-int.isc.org. hostmaster.isc.org. 2011032404 7200 3600 2419200 3600 ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Mar 25 08:10:56 2011 ;; MSG SIZE rcvd: 94 % dig ds fakessh.eu ; DiG 9.6.0-APPLE-P2 ds fakessh.eu ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 20600 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;fakessh.eu.IN DS ;; AUTHORITY SECTION: eu. 600 IN SOA a.nic.eu. tech.eurid.eu. 1003425849 3600 1800 360 600 ;; Query time: 930 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Mar 25 08:13:44 2011 ;; MSG SIZE rcvd: 81 % dig +dnssec dnskey fakessh.eu @ns0.xname.org ; DiG 9.6.0-APPLE-P2 +dnssec dnskey fakessh.eu @ns0.xname.org ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 11804 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;fakessh.eu.IN DNSKEY ;; ANSWER SECTION: fakessh.eu. 38400 IN DNSKEY 256 3 5 AwEAAeFYV9JtqoHqpU8vpl+wMFOQjt77N5XgUcove5Apmjwqsx/awcbN Q2+H3hqeJ9f8NRSDUamSLFmvuUJTbDLDxpw9AlNjZNXQysxaQ//lNXKR P2nfrbqMvNnerzdPQ1eF2RqMf5XuOFv6+4UFz/rykszQcK6kH4qIWQ89 Ibk4eXc249MP31vUlgf3tiHyWyqQtD2JJpHY3HwDOYHhKR0Rilk= fakessh.eu. 38400 IN DNSKEY 257 3 5 AwEAAbj75OmR1A8gs1lda3OYTKaY+dy4jVBmflEk/c8g/JDw6UvAqWMz 9KtNIZvGt9E8JMSfaH6VZLY0mWFfCkn7o38= ;; AUTHORITY SECTION: fakessh.eu. 38400 IN NS r13151.ovh.net. fakessh.eu. 38400 IN NS ns0.xname.org. fakessh.eu. 38400 IN NS ns1.xname.org. fakessh.eu. 38400 IN NS ns1.novacrea.fr. fakessh.eu. 38400 IN NS ns2.xname.org. ;; ADDITIONAL SECTION: ns0.xname.org. 600 IN A 195.234.42.1 ns1.xname.org. 600 IN A 87.98.164.164 ns1.novacrea.fr.55352 IN A 94.23.59.30 ns2.xname.org. 600 IN A 88.191.64.64 ns2.xname.org. 600 IN 2a01:e0b:1:64:240:63ff:fee8:6155 ;; Query time: 391 msec ;; SERVER: 195.234.42.1#53(195.234.42.1) ;; WHEN: Fri Mar 25 08:19:34 2011 ;; MSG SIZE rcvd: 515 % despite my efforts to validate isc dlv. I'm always at the same point I can not validate the keys. error below the script isc SUCCESS 94.23.59.30 answered DNSKEY query with rcode NOERROR 3.345:SUCCESS 87.98.186.232 answered DNSKEY query with rcode NOERROR 3.345:SUCCESS 87.98.164.164 answered DNSKEY query with rcode NOERROR 3.345:INFO Total answers: 3 3.346:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.186.232 3.347:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.164.164 3.347:SUCCESS All DNSKEY responses are identical. 3.353:DEBUG VERIFY-DNSKEY: Checking tag=3D41931 flags=3D256 alg=3DRSASHA1 AwEAAbjq...Na0iXShQfc=3D 3.353:DEBUG VERIFY-DNSKEY: Ignoring key. 3.353:DEBUG VERIFY-DNSKEY: Checking tag=3D27979 flags=3D257 alg=3DRSASHA1 AwEAAcNa...y1khCE+CdE=3D 3.353:DEBUG VERIFY-DNSKEY: Ignoring key. 3.353:INFO VERIFY-DNSKEY: 2 DNSKEYs found. 3.353:INFO VERIFY-DNSKEY: 0 keys found after filtering. 3.353:DEBUG VERIFY-DNSKEY: Using keys: 3.353:DEBUG VERIFY-DNSKEY: To verify rrset type DNSKEY 3.353:FAILURE VERIFY-DNSKEY: No keys found after filtering. 3.353:FAILURE DNSKEY
Re: problem for validate the script dnssec to isc dlv
the DS it is necessary that I contact OVH. in the DLV conserne my problem I have this same recurring errors in the script of the isc that's my problem Le vendredi 25 mars 2011 à 09:24 +1100, Mark Andrews a écrit : In message 1301004136.12273.106.camel@localhost.localdomain, fakessh @ writes: Le vendredi 25 mars 2011 =C3=A0 08:24 +1100, Mark Andrews a =C3=A9crit : In message 1300993213.12273.96.camel@localhost.localdomain, fakessh @= write s: hi bind //guru/ hi isc guru hi mark andrews hi michel graff There are no DLV records for fakessh.eu. See below. There are no DS records for fakessh.eu. See below. necessarily because I can not validate the key through via isc dlv One of these is necessary. You have neither. Additionally the DS for fakessh.eu is the best long term solution as it will be used by more people. Mark Two of the nameservers for your zone are not DNSSEC enabled. They do NOT return RRSIG records when asked for the DNSKEY records with DO=1. See below. You need to address these issues. Mark -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem for validate the script dnssec to isc dlv
it is 6 months since I used no worries dlv Le jeudi 24 mars 2011 à 23:21 +0100, fakessh @ a écrit : everything worked just fine until I change the key rdnc. ns in my side and only ns1.novacrea.fr ns1.xname.org are valid for dnssec Le jeudi 24 mars 2011 à 23:02 +0100, fakessh @ a écrit : Le vendredi 25 mars 2011 à 08:24 +1100, Mark Andrews a écrit : In message 1300993213.12273.96.camel@localhost.localdomain, fakessh @ write s: hi bind //guru/ hi isc guru hi mark andrews hi michel graff There are no DLV records for fakessh.eu. See below. There are no DS records for fakessh.eu. See below. necessarily because I can not validate the key through via isc dlv Two of the nameservers for your zone are not DNSSEC enabled. They do NOT return RRSIG records when asked for the DNSKEY records with DO=1. See below. You need to address these issues. Mark % dig fakessh.eu.dlv.isc.org dlv ; DiG 9.6.0-APPLE-P2 fakessh.eu.dlv.isc.org dlv ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 21760 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;fakessh.eu.dlv.isc.org. IN DLV ;; AUTHORITY SECTION: dlv.isc.org. 2793IN SOA ns-int.isc.org. hostmaster.isc.org. 2011032404 7200 3600 2419200 3600 ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Mar 25 08:10:56 2011 ;; MSG SIZE rcvd: 94 % dig ds fakessh.eu ; DiG 9.6.0-APPLE-P2 ds fakessh.eu ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 20600 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;fakessh.eu. IN DS ;; AUTHORITY SECTION: eu. 600 IN SOA a.nic.eu. tech.eurid.eu. 1003425849 3600 1800 360 600 ;; Query time: 930 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Mar 25 08:13:44 2011 ;; MSG SIZE rcvd: 81 % dig +dnssec dnskey fakessh.eu @ns0.xname.org ; DiG 9.6.0-APPLE-P2 +dnssec dnskey fakessh.eu @ns0.xname.org ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 11804 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;fakessh.eu. IN DNSKEY ;; ANSWER SECTION: fakessh.eu. 38400 IN DNSKEY 256 3 5 AwEAAeFYV9JtqoHqpU8vpl+wMFOQjt77N5XgUcove5Apmjwqsx/awcbN Q2+H3hqeJ9f8NRSDUamSLFmvuUJTbDLDxpw9AlNjZNXQysxaQ//lNXKR P2nfrbqMvNnerzdPQ1eF2RqMf5XuOFv6+4UFz/rykszQcK6kH4qIWQ89 Ibk4eXc249MP31vUlgf3tiHyWyqQtD2JJpHY3HwDOYHhKR0Rilk= fakessh.eu. 38400 IN DNSKEY 257 3 5 AwEAAbj75OmR1A8gs1lda3OYTKaY+dy4jVBmflEk/c8g/JDw6UvAqWMz 9KtNIZvGt9E8JMSfaH6VZLY0mWFfCkn7o38= ;; AUTHORITY SECTION: fakessh.eu. 38400 IN NS r13151.ovh.net. fakessh.eu. 38400 IN NS ns0.xname.org. fakessh.eu. 38400 IN NS ns1.xname.org. fakessh.eu. 38400 IN NS ns1.novacrea.fr. fakessh.eu. 38400 IN NS ns2.xname.org. ;; ADDITIONAL SECTION: ns0.xname.org.600 IN A 195.234.42.1 ns1.xname.org.600 IN A 87.98.164.164 ns1.novacrea.fr. 55352 IN A 94.23.59.30 ns2.xname.org.600 IN A 88.191.64.64 ns2.xname.org.600 IN 2a01:e0b:1:64:240:63ff:fee8:6155 ;; Query time: 391 msec ;; SERVER: 195.234.42.1#53(195.234.42.1) ;; WHEN: Fri Mar 25 08:19:34 2011 ;; MSG SIZE rcvd: 515 % despite my efforts to validate isc dlv. I'm always at the same point I can not validate the keys. error below the script isc SUCCESS 94.23.59.30 answered DNSKEY query with rcode NOERROR 3.345:SUCCESS 87.98.186.232 answered DNSKEY query with rcode NOERROR 3.345:SUCCESS 87.98.164.164 answered DNSKEY query with rcode NOERROR 3.345:INFO Total answers: 3 3.346:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.186.232 3.347:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.164.164 3.347:SUCCESS All DNSKEY responses are identical. 3.353:DEBUG VERIFY-DNSKEY: Checking tag=3D41931 flags=3D256 alg=3DRSASHA1 AwEAAbjq...Na0iXShQfc=3D 3.353:DEBUG VERIFY-DNSKEY: Ignoring key. 3.353:DEBUG VERIFY-DNSKEY: Checking tag=3D27979 flags=3D257 alg=3DRSASHA1 AwEAAcNa...y1khCE+CdE=3D 3.353:DEBUG VERIFY-DNSKEY: Ignoring key.
Re: problem for validate the script dnssec to isc dlv
Fakessh wrote: the DS it is necessary that I contact OVH. in the DLV conserne my problem I have this same recurring errors in the script of the isc that's my problem I'll admit, I've had some problems guessing what the problem you're experiencing really is, there's been mentions of TSIG keys, DNSSEC, scripts etc. Please bear with me, English isn't my normal language, so perhaps I've misunderstood something. If I understand things correctly though, you're unable to get the DLV or DS records added, and the reason for that seems to be because your DNS setup doesn't pass a sanity check. Follow these steps, in this order, and correct these: 1) Two of your nameservers don't seem to do DNSSEC properly. I don't know which software they are running. If you want to use those nameservers for a DNSSEC signed domain, you'll need to get whoever manages those nameservers to make them DNSSEC capable. Depending on the software they're running, that might just be a configuration issue, or perhaps they'll need to upgrade to a more recent version of the software to get DNSSEC capabilities. The two nameservers that seem to need fixing are ns0.xname.org and ns2.xname.org. 2) When I check the delegation of the domain fakessh.eu, it's delegated to 4 nameservers. But when I check the NS records in your zone, it lists an additional 5th nameserver, ns2.xname.org. You should make sure the NS records in your zone match the delegation - perhaps just remove ns2.xname.org from your zonefile? 3) I'm not sure why, but if I do dig any fakessh.eu @ns2.xname.org I get a SERVFAIL back: eivind@vimes ~]$ dig any fakessh.eu @ns2.xname.org. ; DiG 9.6.-ESV-R3 any fakessh.eu @ns2.xname.org. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 7693 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;fakessh.eu.IN ANY ;; Query time: 91 msec ;; SERVER: 2a01:e0b:1:64:240:63ff:fee8:6155#53(2a01:e0b:1:64:240:63ff:fee8:6155) ;; WHEN: Fri Mar 25 00:26:26 2011 ;; MSG SIZE rcvd: 28 Doing plain queries for A, or SOA for example seem to work just fine though..Am I doing something odd in this query, or is that nameserver really weird? 4) If you've sorted all the stuff above: now is the time to try to add the DS or DLV records. I'd not suggest you try this before the previous issues have been corrected. Regards Eivind Olsen eiv...@aminor.no ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem for validate the script dnssec to isc dlv
In message 1301008426.12273.115.camel@localhost.localdomain, fakessh @ writes: it is 6 months since I used no worries dlv What keys do you have recorded with dlv.isc.org? Do they match what you currently have in the zone? Click on ManageZones Click on (details) Under More click on (details) Below is a check run for my personal zone with all the details. You will notice that only one of the DNSKEYs (which is what I submitted to the registry) is accepted. The other, a zone signing key, is filtered out. Unfortunately I don't have a manger bit set on this account so I can't see your zone and hence can't see the keys you have submitted. Mark 0.000:INFO Started: Thu Mar 24 20:36:08 + 2011 0.000:DEBUG RUN: Sending a recursive query for andrews.wattle.id.au NS 0.832:DEBUG RUN: Got response for recursive query andrews.wattle.id.au NS NOERROR 0.832:DEBUG RUN: Got referral 0.839:DEBUG RUN: andrews.wattle.id.au. 300 IN NS ns0.rfc1035.com. 0.839:DEBUG RUN: andrews.wattle.id.au. 300 IN NS sfba.sns-pb.isc.org. 0.839:DEBUG RUN: andrews.wattle.id.au. 300 IN NS ns2.araneus.fi. 0.839:DEBUG RUN: andrews.wattle.id.au. 300 IN NS ord.sns-pb.isc.org. 0.839:DEBUG RUN: andrews.wattle.id.au. 300 IN NS ams.sns-pb.isc.org. 0.839:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ns0.rfc1035.com A 0.849:DEBUG RUN GET_ADDRESSES: Got response for recursive query ns0.rfc1035.com A NOERROR 0.849:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ns0.rfc1035.com 0.854:DEBUG RUN GET_ADDRESSES: Got response for recursive query ns0.rfc1035.com NOERROR 0.855:DEBUG RUN GET_ADDRESSES: Caching address for ns0.rfc1035.com = 93.186.33.42, 2001:4B10:100:7::53 0.857:DEBUG RUN: Enqueued query 1 to 93.186.33.42 for andrews.wattle.id.au DNSKEY 0.859:DEBUG RUN: Enqueued query 2 to 2001:4B10:100:7::53 for andrews.wattle.id.au DNSKEY 0.860:DEBUG RUN GET_ADDRESSES: Sending a recursive query for sfba.sns-pb.isc.org A 0.918:DEBUG RUN GET_ADDRESSES: Got response for recursive query sfba.sns-pb.isc.org A NOERROR 0.918:DEBUG RUN GET_ADDRESSES: Sending a recursive query for sfba.sns-pb.isc.org 1.093:DEBUG RUN GET_ADDRESSES: Got response for recursive query sfba.sns-pb.isc.org NOERROR 1.094:DEBUG RUN GET_ADDRESSES: Caching address for sfba.sns-pb.isc.org = 149.20.64.3, 2001:4F8:0:2::19 1.096:DEBUG RUN: Enqueued query 3 to 149.20.64.3 for andrews.wattle.id.au DNSKEY 1.099:DEBUG RUN: Enqueued query 4 to 2001:4F8:0:2::19 for andrews.wattle.id.au DNSKEY 1.099:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ns2.araneus.fi A 1.144:DEBUG RUN GET_ADDRESSES: Got response for recursive query ns2.araneus.fi A NOERROR 1.144:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ns2.araneus.fi 1.148:DEBUG RUN GET_ADDRESSES: Got response for recursive query ns2.araneus.fi NOERROR 1.148:DEBUG RUN GET_ADDRESSES: Caching address for ns2.araneus.fi = 83.246.72.252 1.150:DEBUG RUN: Enqueued query 5 to 83.246.72.252 for andrews.wattle.id.au DNSKEY 1.150:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ord.sns-pb.isc.org A 1.232:DEBUG RUN GET_ADDRESSES: Got response for recursive query ord.sns-pb.isc.org A NOERROR 1.233:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ord.sns-pb.isc.org 1.240:DEBUG RUN GET_ADDRESSES: Got response for recursive query ord.sns-pb.isc.org NOERROR 1.241:DEBUG RUN GET_ADDRESSES: Caching address for ord.sns-pb.isc.org = 199.6.0.30, 2001:500:71::30 1.243:DEBUG RUN: Enqueued query 6 to 199.6.0.30 for andrews.wattle.id.au DNSKEY 1.246:DEBUG RUN: Enqueued query 7 to 2001:500:71::30 for andrews.wattle.id.au DNSKEY 1.246:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ams.sns-pb.isc.org A 1.362:DEBUG RUN GET_ADDRESSES: Got response for recursive query ams.sns-pb.isc.org A NOERROR 1.363:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ams.sns-pb.isc.org 1.371:DEBUG RUN GET_ADDRESSES: Got response for recursive query ams.sns-pb.isc.org NOERROR 1.371:DEBUG RUN GET_ADDRESSES: Caching address for ams.sns-pb.isc.org = 199.6.1.30, 2001:500:60::30 1.374:DEBUG RUN: Enqueued query 8 to 199.6.1.30 for andrews.wattle.id.au DNSKEY 1.376:DEBUG RUN: Enqueued query 9 to 2001:500:60::30 for andrews.wattle.id.au DNSKEY 1.376:DEBUG RUN: Got activity for 2, from 2001:4B10:100:7::53 1.376:DEBUG RUN: Found answer from 2001:4B10:100:7::53 1.380:DEBUG RUN: Got activity for 1, from 93.186.33.42 1.381:DEBUG RUN: Found answer from 93.186.33.42 1.384:DEBUG RUN: Got activity for 3, from 149.20.64.3 1.384:DEBUG RUN: Found answer from 149.20.64.3 1.388:DEBUG RUN: Got activity for 4, from 2001:4F8:0:2::19 1.388:DEBUG RUN: Found answer from 2001:4F8:0:2::19 1.392:DEBUG RUN: Got activity for 6, from 199.6.0.30 1.392:DEBUG RUN: Found answer from 199.6.0.30 1.396:DEBUG RUN: Got activity for 7, from 2001:500:71::30 1.397:DEBUG RUN: Found answer from 2001:500:71::30 1.400:DEBUG RUN: Got activity for 5, from 83.246.72.252 1.400:DEBUG RUN: Found answer from 83.246.72.252
Re: problem for validate the script dnssec to isc dlv
I did click Click ManageZones Click on (details) Click under More (more) performance test the total result is http://pastebin.com/1bAYHj0d i mail hostmaster of ns1.novacrea.fr is a friend Le vendredi 25 mars 2011 à 10:38 +1100, Mark Andrews a écrit : In message 1301008426.12273.115.camel@localhost.localdomain, fakessh @ writes: it is 6 months since I used no worries dlv What keys do you have recorded with dlv.isc.org? Do they match what you currently have in the zone? Click on ManageZones Click on (details) Under More click on (details) Below is a check run for my personal zone with all the details. You will notice that only one of the DNSKEYs (which is what I submitted to the registry) is accepted. The other, a zone signing key, is filtered out. Unfortunately I don't have a manger bit set on this account so I can't see your zone and hence can't see the keys you have submitted. Mark 0.000:INFO Started: Thu Mar 24 20:36:08 + 2011 0.000:DEBUG RUN: Sending a recursive query for andrews.wattle.id.au NS 0.832:DEBUG RUN: Got response for recursive query andrews.wattle.id.au NS NOERROR 0.832:DEBUG RUN: Got referral 0.839:DEBUG RUN: andrews.wattle.id.au. 300 IN NS ns0.rfc1035.com. 0.839:DEBUG RUN: andrews.wattle.id.au. 300 IN NS sfba.sns-pb.isc.org. 0.839:DEBUG RUN: andrews.wattle.id.au. 300 IN NS ns2.araneus.fi. 0.839:DEBUG RUN: andrews.wattle.id.au. 300 IN NS ord.sns-pb.isc.org. 0.839:DEBUG RUN: andrews.wattle.id.au. 300 IN NS ams.sns-pb.isc.org. 0.839:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ns0.rfc1035.com A 0.849:DEBUG RUN GET_ADDRESSES: Got response for recursive query ns0.rfc1035.com A NOERROR 0.849:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ns0.rfc1035.com 0.854:DEBUG RUN GET_ADDRESSES: Got response for recursive query ns0.rfc1035.com NOERROR 0.855:DEBUG RUN GET_ADDRESSES: Caching address for ns0.rfc1035.com = 93.186.33.42, 2001:4B10:100:7::53 0.857:DEBUG RUN: Enqueued query 1 to 93.186.33.42 for andrews.wattle.id.au DNSKEY 0.859:DEBUG RUN: Enqueued query 2 to 2001:4B10:100:7::53 for andrews.wattle.id.au DNSKEY 0.860:DEBUG RUN GET_ADDRESSES: Sending a recursive query for sfba.sns-pb.isc.org A 0.918:DEBUG RUN GET_ADDRESSES: Got response for recursive query sfba.sns-pb.isc.org A NOERROR 0.918:DEBUG RUN GET_ADDRESSES: Sending a recursive query for sfba.sns-pb.isc.org 1.093:DEBUG RUN GET_ADDRESSES: Got response for recursive query sfba.sns-pb.isc.org NOERROR 1.094:DEBUG RUN GET_ADDRESSES: Caching address for sfba.sns-pb.isc.org = 149.20.64.3, 2001:4F8:0:2::19 1.096:DEBUG RUN: Enqueued query 3 to 149.20.64.3 for andrews.wattle.id.au DNSKEY 1.099:DEBUG RUN: Enqueued query 4 to 2001:4F8:0:2::19 for andrews.wattle.id.au DNSKEY 1.099:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ns2.araneus.fi A 1.144:DEBUG RUN GET_ADDRESSES: Got response for recursive query ns2.araneus.fi A NOERROR 1.144:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ns2.araneus.fi 1.148:DEBUG RUN GET_ADDRESSES: Got response for recursive query ns2.araneus.fi NOERROR 1.148:DEBUG RUN GET_ADDRESSES: Caching address for ns2.araneus.fi = 83.246.72.252 1.150:DEBUG RUN: Enqueued query 5 to 83.246.72.252 for andrews.wattle.id.au DNSKEY 1.150:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ord.sns-pb.isc.org A 1.232:DEBUG RUN GET_ADDRESSES: Got response for recursive query ord.sns-pb.isc.org A NOERROR 1.233:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ord.sns-pb.isc.org 1.240:DEBUG RUN GET_ADDRESSES: Got response for recursive query ord.sns-pb.isc.org NOERROR 1.241:DEBUG RUN GET_ADDRESSES: Caching address for ord.sns-pb.isc.org = 199.6.0.30, 2001:500:71::30 1.243:DEBUG RUN: Enqueued query 6 to 199.6.0.30 for andrews.wattle.id.au DNSKEY 1.246:DEBUG RUN: Enqueued query 7 to 2001:500:71::30 for andrews.wattle.id.au DNSKEY 1.246:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ams.sns-pb.isc.org A 1.362:DEBUG RUN GET_ADDRESSES: Got response for recursive query ams.sns-pb.isc.org A NOERROR 1.363:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ams.sns-pb.isc.org 1.371:DEBUG RUN GET_ADDRESSES: Got response for recursive query ams.sns-pb.isc.org NOERROR 1.371:DEBUG RUN GET_ADDRESSES: Caching address for ams.sns-pb.isc.org = 199.6.1.30, 2001:500:60::30 1.374:DEBUG RUN: Enqueued query 8 to 199.6.1.30 for andrews.wattle.id.au DNSKEY 1.376:DEBUG RUN: Enqueued query 9 to 2001:500:60::30 for andrews.wattle.id.au DNSKEY 1.376:DEBUG RUN: Got activity for 2, from 2001:4B10:100:7::53 1.376:DEBUG RUN: Found answer from 2001:4B10:100:7::53 1.380:DEBUG RUN: Got activity for 1, from 93.186.33.42 1.381:DEBUG RUN: Found answer from 93.186.33.42 1.384:DEBUG RUN: Got activity for 3, from 149.20.64.3 1.384:DEBUG RUN: Found answer from 149.20.64.3 1.388:DEBUG RUN: Got activity for 4, from 2001:4F8:0:2::19
Re: problem for validate the script dnssec to isc dlv
http://secspider.cs.ucla.edu/fakessh-eu--dnskey.txt this page indicate a DSA algorhtyme it's my old algorthyme new is RSA Le vendredi 25 mars 2011 à 01:25 +0100, fakessh @ a écrit : I did click Click ManageZones Click on (details) Click under More (more) performance test the total result is http://pastebin.com/1bAYHj0d i mail hostmaster of ns1.novacrea.fr is a friend Le vendredi 25 mars 2011 à 10:38 +1100, Mark Andrews a écrit : In message 1301008426.12273.115.camel@localhost.localdomain, fakessh @ writes: it is 6 months since I used no worries dlv What keys do you have recorded with dlv.isc.org? Do they match what you currently have in the zone? Click on ManageZones Click on (details) Under More click on (details) Below is a check run for my personal zone with all the details. You will notice that only one of the DNSKEYs (which is what I submitted to the registry) is accepted. The other, a zone signing key, is filtered out. Unfortunately I don't have a manger bit set on this account so I can't see your zone and hence can't see the keys you have submitted. Mark 0.000:INFO Started: Thu Mar 24 20:36:08 + 2011 0.000:DEBUG RUN: Sending a recursive query for andrews.wattle.id.au NS 0.832:DEBUG RUN: Got response for recursive query andrews.wattle.id.au NS NOERROR 0.832:DEBUG RUN: Got referral 0.839:DEBUG RUN: andrews.wattle.id.au. 300 IN NS ns0.rfc1035.com. 0.839:DEBUG RUN: andrews.wattle.id.au. 300 IN NS sfba.sns-pb.isc.org. 0.839:DEBUG RUN: andrews.wattle.id.au. 300 IN NS ns2.araneus.fi. 0.839:DEBUG RUN: andrews.wattle.id.au. 300 IN NS ord.sns-pb.isc.org. 0.839:DEBUG RUN: andrews.wattle.id.au. 300 IN NS ams.sns-pb.isc.org. 0.839:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ns0.rfc1035.com A 0.849:DEBUG RUN GET_ADDRESSES: Got response for recursive query ns0.rfc1035.com A NOERROR 0.849:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ns0.rfc1035.com 0.854:DEBUG RUN GET_ADDRESSES: Got response for recursive query ns0.rfc1035.com NOERROR 0.855:DEBUG RUN GET_ADDRESSES: Caching address for ns0.rfc1035.com = 93.186.33.42, 2001:4B10:100:7::53 0.857:DEBUG RUN: Enqueued query 1 to 93.186.33.42 for andrews.wattle.id.au DNSKEY 0.859:DEBUG RUN: Enqueued query 2 to 2001:4B10:100:7::53 for andrews.wattle.id.au DNSKEY 0.860:DEBUG RUN GET_ADDRESSES: Sending a recursive query for sfba.sns-pb.isc.org A 0.918:DEBUG RUN GET_ADDRESSES: Got response for recursive query sfba.sns-pb.isc.org A NOERROR 0.918:DEBUG RUN GET_ADDRESSES: Sending a recursive query for sfba.sns-pb.isc.org 1.093:DEBUG RUN GET_ADDRESSES: Got response for recursive query sfba.sns-pb.isc.org NOERROR 1.094:DEBUG RUN GET_ADDRESSES: Caching address for sfba.sns-pb.isc.org = 149.20.64.3, 2001:4F8:0:2::19 1.096:DEBUG RUN: Enqueued query 3 to 149.20.64.3 for andrews.wattle.id.au DNSKEY 1.099:DEBUG RUN: Enqueued query 4 to 2001:4F8:0:2::19 for andrews.wattle.id.au DNSKEY 1.099:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ns2.araneus.fi A 1.144:DEBUG RUN GET_ADDRESSES: Got response for recursive query ns2.araneus.fi A NOERROR 1.144:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ns2.araneus.fi 1.148:DEBUG RUN GET_ADDRESSES: Got response for recursive query ns2.araneus.fi NOERROR 1.148:DEBUG RUN GET_ADDRESSES: Caching address for ns2.araneus.fi = 83.246.72.252 1.150:DEBUG RUN: Enqueued query 5 to 83.246.72.252 for andrews.wattle.id.au DNSKEY 1.150:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ord.sns-pb.isc.org A 1.232:DEBUG RUN GET_ADDRESSES: Got response for recursive query ord.sns-pb.isc.org A NOERROR 1.233:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ord.sns-pb.isc.org 1.240:DEBUG RUN GET_ADDRESSES: Got response for recursive query ord.sns-pb.isc.org NOERROR 1.241:DEBUG RUN GET_ADDRESSES: Caching address for ord.sns-pb.isc.org = 199.6.0.30, 2001:500:71::30 1.243:DEBUG RUN: Enqueued query 6 to 199.6.0.30 for andrews.wattle.id.au DNSKEY 1.246:DEBUG RUN: Enqueued query 7 to 2001:500:71::30 for andrews.wattle.id.au DNSKEY 1.246:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ams.sns-pb.isc.org A 1.362:DEBUG RUN GET_ADDRESSES: Got response for recursive query ams.sns-pb.isc.org A NOERROR 1.363:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ams.sns-pb.isc.org 1.371:DEBUG RUN GET_ADDRESSES: Got response for recursive query ams.sns-pb.isc.org NOERROR 1.371:DEBUG RUN GET_ADDRESSES: Caching address for ams.sns-pb.isc.org = 199.6.1.30, 2001:500:60::30 1.374:DEBUG RUN: Enqueued query 8 to 199.6.1.30 for andrews.wattle.id.au DNSKEY 1.376:DEBUG RUN: Enqueued query 9 to 2001:500:60::30 for andrews.wattle.id.au DNSKEY 1.376:DEBUG RUN: Got activity for 2, from 2001:4B10:100:7::53 1.376:DEBUG RUN:
Re: problem for validate the script dnssec to isc dlv
Le vendredi 25 mars 2011 à 09:24 +1100, Mark Andrews a écrit : In message 1301004136.12273.106.camel@localhost.localdomain, fakessh @ writes: Le vendredi 25 mars 2011 =C3=A0 08:24 +1100, Mark Andrews a =C3=A9crit : In message 1300993213.12273.96.camel@localhost.localdomain, fakessh @= write s: hi bind //guru/ hi isc guru hi mark andrews hi michel graff There are no DLV records for fakessh.eu. See below. There are no DS records for fakessh.eu. See below. necessarily because I can not validate the key through via isc dlv One of these is necessary. You have neither. Additionally the DS for fakessh.eu is the best long term solution as it will be used by more people. Mark additionally my registar OVH has not yet DNSSEC deployment and I do not know if I can deposit my DS already me if I insist Two of the nameservers for your zone are not DNSSEC enabled. They do NOT return RRSIG records when asked for the DNSKEY records with DO=1. See below. You need to address these issues. Mark -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users