Problem with DNSSEC signing zone
Hi all Bind users, i just have a problem with my zone signing output i made all the steps to obtain a good result. 1. Generated KSK and ZSK 2. Add both of keys at the end of my zone file 3. signing my zone with dnssec-signzone command 4. enable dnssec in named options 5. change the name of my zone in the named by namezone.signed 6. I got the root DNSKEY RR set before with dig command and redirect the outpout in root-dnskey file 7. I turned the DNSKEY into DS RR set also, with dnssec-dsfromkey command. all this steps have been done well but, when i made a dig for testing the result, i can't seen my section answer with RRSIG or ad flag someone know what can i made to solve this problem please. my zone name is *willzik.co.uk* and when i tested my Bind with a sign domain like *ripe.net*, the result is good. *dig +dnssec ripe.net gave *me a good answer dig +dnssec willzik.co.uk return a solution without RRSIG records or ad flag Thanks for your help -- Cordialement. Thierry *SAMEN.* ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Hi;
Hi, Bind'ers, i'm trying to have a TTL of a zone just by typing a command, but i can't seen which command line i can used to have the solution. Can someone have an idea? is it possible to found that? PS: The zone file is not created by me. For example, i made a dig +dnssec www.google.fr and i want to know what is the TTL of www.google.com not the period of querry. Thx -- Cordialement. Thierry *SAMEN.* ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
generate a set of request DNSsec
Hi, i'm trying to implement DNSsec on my DNS zones and make a test performance to evaluate the charge of DNSsec on my servers. I'm faced with a big problem, *How can i generate a log file for my test?*it's a big problem for me, i'm working on Bind 9.8.1-P1 and i'm using dnsperf to inject requests on my servers. Did you have an idea? thank you for your help. -- Cordialement. Thierry *SAMEN.* ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to validate DNSSEC signed record with dig?
Thank you very much for your help i'm going to try it wright now. 2012/2/8 Spain, Dr. Jeffry A. > William: In my tests of DNSSEC, I have used 'auto-dnsssec maintain;' > rather than explicitly signing the zone with dnssec-signzone. I believe I > recall that you are using bind 9.8, so this should work for you as well. > Here's something you can try: > > In your bind configuration use the following zone stanza: > zone "toto.com" { >type master; >file "/var/lib/bind/toto.com/toto.com.db"; >key-directory "/var/lib/bind/toto.com"; >auto-dnssec maintain; > }; > > You will probably want to add some access control to this as well. > > Now in the directory /var/lib/bind/toto.com (or the directory of your > choice as long as it is specified in the configuration above), place all of > your *.key and *.private files. Also place your unsigned zone file > toto.com.db with contents as follows (Omit the DNSSEC info you currently > have at the bottom): > > $ORIGIN . > $TTL 17200 ; 4 hours 46 minutes 40 seconds > toto.com. IN SOA ns10.boom.fr. postmaster.boom.com. ( >2012020802 ; serial >216000 ; refresh (2 days 12 hours) >3600 ; retry (1 hour) >360; expire (5 weeks 6 days 16 > hours) >172800 ; minimum (2 days) >) >NS ns.boom.fr. >NS ns2.boom.fr. >A 217.128.32.85 > $ORIGIN toto.com. > * A 217.128.32.85 > > If you are running bind under a UID other than root, make sure all the > files are readable, and that the zone file is writable, by that UID. > Restart the bind service, and bind will sign your zone using the keys you > have provided as long as their metadata is timed appropriately, i.e. > Publish and Activate dates are in the past, and Inactive and Delete dates > in the future. To see the metadata, execute 'dnssec-settime -p all > your_key_file_name.private'. If you need to change the timing metadata, use > dnssec-settime again. See the ARM for details. Caution: dnssec-setime will > 'chmod 600' your private key files. > > I have been successful with this approach, and hope it works well for you > also. Jeff. > > Jeffry A. Spain > Network Administrator > Cincinnati Country Day School > > -- Cordialement. Thierry *SAMEN.* ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to validate DNSSEC signed record with dig?
Absolutely Tony that was a key file which has been generated by dnssec-keygen command. My zone file is so simple and its look like that i have checked it before with the named-checkzone and all is good in my file zone. I changed option -o by the option -o only and now i had this error: dnssec-signzone: error: dns_master_load: ../etc/toto.com:12: toto.com: not at top of zone dnssec-signzone: fatal: failed loading zone from '../etc/toto.com': not at top of zone at the line 12 of my file zone i haven't seen any mistake. here is my zone file: $ORIGIN . $TTL 17200 ; 4 hours 46 minutes 40 seconds toto.com. IN SOA ns10.boom.fr. postmaster.boom.com. ( 2012020802 ; serial 216000 ; refresh (2 days 12 hours) 3600 ; retry (1 hour) 360; expire (5 weeks 6 days 16 hours) 172800 ; minimum (2 days) ) NS ns.boom.fr. NS ns2.boom.fr. A 217.128.32.85 $ORIGIN toto.com. * A 217.128.32.85 ;DNSsec keys starts here $include /exec/applis/thierry/DNS/sbin/K%2Fexec%2Fapplis%2Fthierry%2Fdns%2Fetc%2Ftoto.com.+005+12762.key $include /exec/applis/thierry/DNS/sbin/K%2Fexec%2Fapplis%2Fthierry%2Fdns%2Fetc%2Ftoto.com.+005+60826.key Thanks 2012/2/8 Tony Finch > William Thierry SAMEN wrote: > > > > My file zone: > > Er this looks like a key file, not a zone file. The key has been generated > incorrectly: it has a file name where the zone name should be. > > > ; This is a zone-signing key, keyid 12762, for *../etc/toto.com.* > > ; Created: 20120207101131 (Tue Feb 7 11:11:31 2012) > > ; Publish: 20120207101131 (Tue Feb 7 11:11:31 2012) > > ; Activate: 20120207101131 (Tue Feb 7 11:11:31 2012) > > *../etc/toto.com*. IN DNSKEY 256 3 5 > AwEAAbpc1rBsrB3XrOlUAE1Xxfyef9POsH8jypLVImuBPEGgE > > Tony. > -- > f.anthony.n.finchhttp://dotat.at/ > Viking, North Utsire: Southerly 5 to 7, occasionally gale 8 in Viking. > Rough, > becoming very rough in Viking. Rain later. Good, becoming moderate later. > -- Cordialement. Thierry *SAMEN.* ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to validate DNSSEC signed record with dig?
Hi, thanks for the quick answer, but my problem is still not resolved, i check all your solutions but nothing. I'll show you my file zone which i wanted to sign and the command i used. My file zone: ; This is a zone-signing key, keyid 12762, for *../etc/toto.com.* ; Created: 20120207101131 (Tue Feb 7 11:11:31 2012) ; Publish: 20120207101131 (Tue Feb 7 11:11:31 2012) ; Activate: 20120207101131 (Tue Feb 7 11:11:31 2012) *../etc/toto.com*. IN DNSKEY 256 3 5 AwEAAbpc1rBsrB3XrOlUAE1Xxfyef9POsH8jypLVImuBPEGgE Command line that i used for sign this zone ./dnssec-signzone -p -t -g -k KSK.key -o toto.com ../etc/toto.com ZSK.key Have you seen some mistake? Thanks for your help. 2012/2/7 Spain, Dr. Jeffry A. > > dnssec-signzone: fatal: key myKSK.key not at origin > > What are the contents of myKSK.key? > The format is "mydomain.com. IN DNSKEY ..." where mydomain.com is the > domain origin. > > Jeffry A. Spain > Network Administrator > Cincinnati Country Day School > > -- Cordialement. Thierry *SAMEN.* ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to validate DNSSEC signed record with dig?
Hi everybody, sorry for my post i'm not read to bring a light to the 1st problem but to find help. I'm triying to sign a zone on Bind 9.8-P1 but i have this message: *dnssec-signzone: fatal: key myKSK.key not at origin* I just want help if someone has been confronted with this kind of message i'll be so happy to have a few idea to debugg my problem Thx. 2012/2/6 Tony Finch > Spain, Dr. Jeffry A. wrote: > > > > Checking your two name servers, 8.8.8.8 (google-public-dns-a.google.com) > > doesn't appear to offer DNSSEC validation, and 78.46.213.227 > > (rms.coozila.com) doesn't respond to my query at all. > > It's worse than that. Google Public DNS doesn't support DNSSEC at all, so > you cannot use it to query DNSSEC records. DNSSEC requires resolvers to > handle RRSIG and DS records in special ways even if they are not > validating the signatures. > > Tony. > -- > f.anthony.n.finchhttp://dotat.at/ > North Utsire, South Utsire: Cyclonic mainly southerly or southeasterly, 5 > to > 7, occasionally gale 8 in east at first. Rough. Rain or snow. Moderate or > poor. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Cordialement. Thierry *SAMEN.* ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users