Re: Resign a zone
Le mardi 8 novembre 2011 10:34, rams a écrit : Hi , I have signed zone and already i have resigned two times. Now again i am resigning zone but after resign zone , RRSIG values are not changed. the same old values displaying. Any wrong in me. Could you please guide me how to change RRSIG values. webmin module provide correct support to resignzone thanks also to automatic resign -- http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://urlshort.eu fakessh @ pgpdF2sY8w6Ua.pgp Description: PGP signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC signing issues
Le vendredi 22 avril 2011 04:20, Security Admin (NetSec) a écrit : I am running BIND 9.4.2-P2 on OpenBSD v4.8 I have created the ZSK and KSK and added the keys to my zonefile mydomain.hosts using the cat command to append to the end of the host file. When attempting to use the following command dnssec-signzone -N INCREMENT mydomain.hosts I get the following error: dnssec-signzone: error: dns_master_load: mydomain.hosts:15: mydomain.com: not at top of zone dnssec-signzone: failed loading zone from ' mydomain.hosts': not at top of zone I own this domain and the DNS servers associated with them. Line 15 referenced in the above error is an MX record within the host file. I am unsure how to debug this error. Any help would be appreciated. we sign areas as explained in the page of the isc we take 1 of 2 record DNSKEY we publish in the isc after you retrieve the record is dlv TXT resigns areas and wait for the secondaries restet -- http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 gpg --keyserver pgp.mit.edu --recv-key 092164A7 pgpheC9C4tItj.pgp Description: PGP signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind and DLZ support
the implementation of resolution dnssec for the bind dns dry this natively in the distribution centos 5.5 is feasible try a simple config Le vendredi 08 avril 2011 à 18:38 +0200, fddi a écrit : Hello, I was trying to add DLZ support to bind on CentOS 5.5 so it's bind-9.3.6-4.P1.el5_5 I found out that the CentOS rpm does not have DLZ support built in and trying to patch bind manually the patch looks like to be for 9.2.2 version so it does not work on 9.3.6 anyone has a solution on how to add DLZ support to stock CentOS bind, or to add DLZ patch support to any recent bind version ? thank you Rick ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
mix dns with ou without dnssec
hello bind guru I realized that you could mix dns seconday with or without dnssec is possible the script of the isc answers simply a warning to be validated -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem for validate the script dnssec to isc dlv
it is, I'm coming I do not understand the need to recreate and validate the file keyset-en ... I then recreate a good record with the key in this file and my past signatures are good. I did not understand correctly the operation of dlv keyset files and I recreated downgrade bind to the stable version 9.3 of CentOS 5.5 and using webmin. can you give me the command to use to create files Keyset I did not find any documentation regarding the creation of this type of file I will update my blog more precisely with the new guidelines thanks for your good support thanks mark andrews thanks Torinthiel thanks eivind olsen thanks evan hunt thanks dan mahoney thanks michel graff Le lundi 28 mars 2011 à 10:04 +0200, Eivind Olsen a écrit : dns appear as my syncro. yet I'm still at the same point missing keys Your delegation for the domain fakessh.eu doesn't seem to be 100% correct yet though. If I ask the nameservers for .eu (like p.nic.eu) it tells me your domain belongs to 4 nameservers: ns0.xname.org ns1.xname.org ns1.novacrea.fr r13151.ovh.net If I ask the first one on that list, ns0.xname.org, it tells me you only have 3 nameservers: ns1.xname.org ns1.novacrea.fra r13151.ovh.net If I try to get a reply from ns1.xname.org it just goes into timeout here: [eivind@vimes ~]$ dig +dnssec ns fakessh.eu @ns1.xname.org ; DiG 9.6.-ESV-R3 +dnssec ns fakessh.eu @ns1.xname.org ;; global options: +cmd ;; connection timed out; no servers could be reached [eivind@vimes ~]$ If I try to get a reply from r13151.ovh.net I just get a servfail: [eivind@vimes ~]$ dig +dnssec ns fakessh.eu @r13151.ovh.net ; DiG 9.6.-ESV-R3 +dnssec ns fakessh.eu @r13151.ovh.net ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 53023 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;fakessh.eu.IN NS ;; Query time: 55 msec ;; SERVER: 87.98.186.232#53(87.98.186.232) ;; WHEN: Mon Mar 28 10:02:33 2011 ;; MSG SIZE rcvd: 39 Regards Eivind Olsen eiv...@aminor.no -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem for validate the script dnssec to isc dlv
i use the key BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE 1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+ jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73 Te9fZ2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucM TwFlgPe+jnGxPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7 mbBZVcOwIeU/Rw/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3x iRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh and the other key include in the tarvall of bind Le dimanche 27 mars 2011 à 14:59 +1100, Mark Andrews a écrit : Mark Andrews writes: In message 1301008426.12273.115.camel@localhost.localdomain, fakessh @ wr ites: it is 6 months since I used no worries dlv What keys do you have recorded with dlv.isc.org? Do they match what you currently have in the zone? You did not answer these questions. Please answer these questions. -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem for validate the script dnssec to isc dlv
in insurance I googled no result how to do this ... nb : i reajust my blog immediately Le lundi 28 mars 2011 à 03:43 +1100, Mark Andrews a écrit : In message 1301241108.12273.192.camel@localhost.localdomain, fakessh @ writ es: i use the key BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE 1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+ jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73 Te9fZ2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucM TwFlgPe+jnGxPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7 mbBZVcOwIeU/Rw/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3x iRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh and the other key include in the tarvall of bind Submit the SEP key for fakessh.eu. fakessh.eu. 38356 IN DNSKEY 257 3 5 AwEAAaXxSyYC5WHJdozSpEX5foltzSpNYJZb78zJldfgHF8zseINQNQj xQp9SdxsM81n6xw68zuJtd0I2grxexvQ0N4SdwM70tifbZD0VTBr8vgr rMOwfP2tCTzI/3VqHpFl+JZEcbcJqX4HcYh+fH9s+ZwHgybJ9FeSzYmu CakqAfHn -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem for validate the script dnssec to isc dlv
That would be the key with id 47103 in your case. The one that has SEP flag, the one that only signs DNSKEY records and not others. Regards, Torinthiel http://www.mail-archive.com/bind-users@lists.isc.org/msg09107.html This is your word i reread the thread to fevrier http://www.mail-archive.com/bind-users@lists.isc.org/msg09084.html Mark Andrews quote Because there are already DLV records for the key in the DLV. ;; ANSWER SECTION: fakessh.eu.dlv.isc.org. 3529IN DLV 47103 3 2 68096942650C1DD89D5BE43A9EEA05BA9C20F09EDC55309F4F1CD348 4D8ED07B fakessh.eu.dlv.isc.org. 3529IN DLV 47103 3 1 CFEA04C5B918359273D6BAC07AE7F2DF5225E357 here i am r13151 ~]# dig fakessh.eu.dlv.isc.org @8.8.8.8 ; DiG 9.7.3-RedHat-9.7.3-1.el5 fakessh.eu.dlv.isc.org @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 21853 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;fakessh.eu.dlv.isc.org.IN A ;; AUTHORITY SECTION: dlv.isc.org.1695IN SOA ns-int.isc.org. hostmaster.isc.org. 2011032703 7200 3600 2419200 3600 ;; Query time: 20 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Mar 27 20:34:49 2011 ;; MSG SIZE rcvd: 94 [root@r13151 ~]# r13151 ~]# dig fakessh.eu.dlv.isc.org ; DiG 9.7.3-RedHat-9.7.3-1.el5 fakessh.eu.dlv.isc.org ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 19904 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;fakessh.eu.dlv.isc.org.IN A ;; Query time: 4 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Mar 27 20:35:15 2011 ;; MSG SIZE rcvd: 40 it seems there is no deposit in dlv isc but I can not validate my own I have the answer about the DS field. ovh do not want to do and they say RTFM and desmerdevous and i requote how to do this ... the SEP record Le dimanche 27 mars 2011 à 20:08 +0200, Torinthiel a écrit : On 03/27/11 19:09, fakessh @ wrote: in insurance I googled no result how to do this ... The procedure is everywhere around the ISC site. See eg. http://www.isc.org/solutions/dlv https://dlv.isc.org/about/using my mail on 3rd jan, 21:00 in reply to yours (thread inconsistency dnssec debuguers response and writingconseil for new areas zone) Torinthiel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem for validate the script dnssec to isc dlv
I removed the dns that does not support dnssec Now it is necessary to wait a day or two Le dimanche 27 mars 2011 à 20:58 +0200, Torinthiel a écrit : On 03/27/11 20:45, fakessh @ wrote: That would be the key with id 47103 in your case. The one that has SEP flag, the one that only signs DNSKEY records and not others. Regards, Torinthiel http://www.mail-archive.com/bind-users@lists.isc.org/msg09107.html This is your word i reread the thread to fevrier http://www.mail-archive.com/bind-users@lists.isc.org/msg09084.html Mark Andrews quote Because there are already DLV records for the key in the DLV. ;; ANSWER SECTION: fakessh.eu.dlv.isc.org. 3529IN DLV 47103 3 2 68096942650C1DD89D5BE43A9EEA05BA9C20F09EDC55309F4F1CD348 4D8ED07B fakessh.eu.dlv.isc.org. 3529IN DLV 47103 3 1 CFEA04C5B918359273D6BAC07AE7F2DF5225E357 here i am Ok. Now, reread the current thread. At least three people in this thread only have identified and pinpointed the problem. Two of your nameservers, ns0.xname.org and ns2.xname.org do not support DNSSec right now. Unless you do something about this, possibilities include fixing them or dropping them from your authoritative servers, there's nothing anyone can help you. Your zone is NOT DNSSec enabled, and ISC's DLV registry correctly refuses to list it's keys. If you don't trust us, please go to http://dnsviz.net/d/fakessh.eu/dnssec/ or http://secspider.cs.ucla.edu/fakessh-eu--zone.html, probably your account in dlv.isc.org or any DNSSec debugger of your choice. I've really assumed that you've fixed issues that were pointed numerous times before asking for next steps. Torinthiel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem for validate the script dnssec to isc dlv
dns appear as my syncro. yet I'm still at the same point missing keys Le lundi 28 mars 2011 à 00:45 +0200, fakessh @ a écrit : I removed the dns that does not support dnssec Now it is necessary to wait a day or two Le dimanche 27 mars 2011 à 20:58 +0200, Torinthiel a écrit : On 03/27/11 20:45, fakessh @ wrote: That would be the key with id 47103 in your case. The one that has SEP flag, the one that only signs DNSKEY records and not others. Regards, Torinthiel http://www.mail-archive.com/bind-users@lists.isc.org/msg09107.html This is your word i reread the thread to fevrier http://www.mail-archive.com/bind-users@lists.isc.org/msg09084.html Mark Andrews quote Because there are already DLV records for the key in the DLV. ;; ANSWER SECTION: fakessh.eu.dlv.isc.org. 3529IN DLV 47103 3 2 68096942650C1DD89D5BE43A9EEA05BA9C20F09EDC55309F4F1CD348 4D8ED07B fakessh.eu.dlv.isc.org. 3529IN DLV 47103 3 1 CFEA04C5B918359273D6BAC07AE7F2DF5225E357 here i am Ok. Now, reread the current thread. At least three people in this thread only have identified and pinpointed the problem. Two of your nameservers, ns0.xname.org and ns2.xname.org do not support DNSSec right now. Unless you do something about this, possibilities include fixing them or dropping them from your authoritative servers, there's nothing anyone can help you. Your zone is NOT DNSSec enabled, and ISC's DLV registry correctly refuses to list it's keys. If you don't trust us, please go to http://dnsviz.net/d/fakessh.eu/dnssec/ or http://secspider.cs.ucla.edu/fakessh-eu--zone.html, probably your account in dlv.isc.org or any DNSSec debugger of your choice. I've really assumed that you've fixed issues that were pointed numerous times before asking for next steps. Torinthiel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
problem for validate the script dnssec to isc dlv
hi bind //guru/ hi isc guru hi mark andrews hi michel graff despite my efforts to validate isc dlv. I'm always at the same point I can not validate the keys. error below the script isc SUCCESS 94.23.59.30 answered DNSKEY query with rcode NOERROR 3.345:SUCCESS 87.98.186.232 answered DNSKEY query with rcode NOERROR 3.345:SUCCESS 87.98.164.164 answered DNSKEY query with rcode NOERROR 3.345:INFO Total answers: 3 3.346:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.186.232 3.347:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.164.164 3.347:SUCCESS All DNSKEY responses are identical. 3.353:DEBUG VERIFY-DNSKEY: Checking tag=41931 flags=256 alg=RSASHA1 AwEAAbjq...Na0iXShQfc= 3.353:DEBUG VERIFY-DNSKEY: Ignoring key. 3.353:DEBUG VERIFY-DNSKEY: Checking tag=27979 flags=257 alg=RSASHA1 AwEAAcNa...y1khCE+CdE= 3.353:DEBUG VERIFY-DNSKEY: Ignoring key. 3.353:INFO VERIFY-DNSKEY: 2 DNSKEYs found. 3.353:INFO VERIFY-DNSKEY: 0 keys found after filtering. 3.353:DEBUG VERIFY-DNSKEY: Using keys: 3.353:DEBUG VERIFY-DNSKEY: To verify rrset type DNSKEY 3.353:FAILURE VERIFY-DNSKEY: No keys found after filtering. 3.353:FAILURE DNSKEY signature did not validate. 3.353:FINAL_FAILURE FAILURE -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem for validate the script dnssec to isc dlv
Le vendredi 25 mars 2011 à 08:24 +1100, Mark Andrews a écrit : In message 1300993213.12273.96.camel@localhost.localdomain, fakessh @ write s: hi bind //guru/ hi isc guru hi mark andrews hi michel graff There are no DLV records for fakessh.eu. See below. There are no DS records for fakessh.eu. See below. necessarily because I can not validate the key through via isc dlv Two of the nameservers for your zone are not DNSSEC enabled. They do NOT return RRSIG records when asked for the DNSKEY records with DO=1. See below. You need to address these issues. Mark % dig fakessh.eu.dlv.isc.org dlv ; DiG 9.6.0-APPLE-P2 fakessh.eu.dlv.isc.org dlv ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 21760 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;fakessh.eu.dlv.isc.org. IN DLV ;; AUTHORITY SECTION: dlv.isc.org. 2793IN SOA ns-int.isc.org. hostmaster.isc.org. 2011032404 7200 3600 2419200 3600 ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Mar 25 08:10:56 2011 ;; MSG SIZE rcvd: 94 % dig ds fakessh.eu ; DiG 9.6.0-APPLE-P2 ds fakessh.eu ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 20600 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;fakessh.eu. IN DS ;; AUTHORITY SECTION: eu. 600 IN SOA a.nic.eu. tech.eurid.eu. 1003425849 3600 1800 360 600 ;; Query time: 930 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Mar 25 08:13:44 2011 ;; MSG SIZE rcvd: 81 % dig +dnssec dnskey fakessh.eu @ns0.xname.org ; DiG 9.6.0-APPLE-P2 +dnssec dnskey fakessh.eu @ns0.xname.org ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 11804 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;fakessh.eu. IN DNSKEY ;; ANSWER SECTION: fakessh.eu. 38400 IN DNSKEY 256 3 5 AwEAAeFYV9JtqoHqpU8vpl+wMFOQjt77N5XgUcove5Apmjwqsx/awcbN Q2+H3hqeJ9f8NRSDUamSLFmvuUJTbDLDxpw9AlNjZNXQysxaQ//lNXKR P2nfrbqMvNnerzdPQ1eF2RqMf5XuOFv6+4UFz/rykszQcK6kH4qIWQ89 Ibk4eXc249MP31vUlgf3tiHyWyqQtD2JJpHY3HwDOYHhKR0Rilk= fakessh.eu. 38400 IN DNSKEY 257 3 5 AwEAAbj75OmR1A8gs1lda3OYTKaY+dy4jVBmflEk/c8g/JDw6UvAqWMz 9KtNIZvGt9E8JMSfaH6VZLY0mWFfCkn7o38= ;; AUTHORITY SECTION: fakessh.eu. 38400 IN NS r13151.ovh.net. fakessh.eu. 38400 IN NS ns0.xname.org. fakessh.eu. 38400 IN NS ns1.xname.org. fakessh.eu. 38400 IN NS ns1.novacrea.fr. fakessh.eu. 38400 IN NS ns2.xname.org. ;; ADDITIONAL SECTION: ns0.xname.org.600 IN A 195.234.42.1 ns1.xname.org.600 IN A 87.98.164.164 ns1.novacrea.fr. 55352 IN A 94.23.59.30 ns2.xname.org.600 IN A 88.191.64.64 ns2.xname.org.600 IN 2a01:e0b:1:64:240:63ff:fee8:6155 ;; Query time: 391 msec ;; SERVER: 195.234.42.1#53(195.234.42.1) ;; WHEN: Fri Mar 25 08:19:34 2011 ;; MSG SIZE rcvd: 515 % despite my efforts to validate isc dlv. I'm always at the same point I can not validate the keys. error below the script isc SUCCESS 94.23.59.30 answered DNSKEY query with rcode NOERROR 3.345:SUCCESS 87.98.186.232 answered DNSKEY query with rcode NOERROR 3.345:SUCCESS 87.98.164.164 answered DNSKEY query with rcode NOERROR 3.345:INFO Total answers: 3 3.346:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.186.232 3.347:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.164.164 3.347:SUCCESS All DNSKEY responses are identical. 3.353:DEBUG VERIFY-DNSKEY: Checking tag=3D41931 flags=3D256 alg=3DRSASHA1 AwEAAbjq...Na0iXShQfc=3D 3.353:DEBUG VERIFY-DNSKEY: Ignoring key. 3.353:DEBUG VERIFY-DNSKEY: Checking tag=3D27979 flags=3D257 alg=3DRSASHA1 AwEAAcNa...y1khCE+CdE=3D 3.353:DEBUG VERIFY-DNSKEY: Ignoring key. 3.353:INFO VERIFY-DNSKEY: 2 DNSKEYs found. 3.353:INFO VERIFY-DNSKEY: 0 keys found after filtering. 3.353:DEBUG VERIFY-DNSKEY: Using keys: 3.353:DEBUG VERIFY-DNSKEY: To verify rrset type DNSKEY 3.353:FAILURE VERIFY-DNSKEY: No keys found after filtering. 3.353:FAILURE DNSKEY signature did not validate. 3.353:FINAL_FAILURE FAILURE --=20 gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=3Dgetsearch=3D0x092164A7 --=-z4QlW2bZGkH+0Mp+jCTf Content-Type: application/pgp-signature; name=signature.asc Content-Description: Ceci est une
Re: problem for validate the script dnssec to isc dlv
everything worked just fine until I change the key rdnc. ns in my side and only ns1.novacrea.fr ns1.xname.org are valid for dnssec Le jeudi 24 mars 2011 à 23:02 +0100, fakessh @ a écrit : Le vendredi 25 mars 2011 à 08:24 +1100, Mark Andrews a écrit : In message 1300993213.12273.96.camel@localhost.localdomain, fakessh @ write s: hi bind //guru/ hi isc guru hi mark andrews hi michel graff There are no DLV records for fakessh.eu. See below. There are no DS records for fakessh.eu. See below. necessarily because I can not validate the key through via isc dlv Two of the nameservers for your zone are not DNSSEC enabled. They do NOT return RRSIG records when asked for the DNSKEY records with DO=1. See below. You need to address these issues. Mark % dig fakessh.eu.dlv.isc.org dlv ; DiG 9.6.0-APPLE-P2 fakessh.eu.dlv.isc.org dlv ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 21760 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;fakessh.eu.dlv.isc.org.IN DLV ;; AUTHORITY SECTION: dlv.isc.org.2793IN SOA ns-int.isc.org. hostmaster.isc.org. 2011032404 7200 3600 2419200 3600 ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Mar 25 08:10:56 2011 ;; MSG SIZE rcvd: 94 % dig ds fakessh.eu ; DiG 9.6.0-APPLE-P2 ds fakessh.eu ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 20600 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;fakessh.eu.IN DS ;; AUTHORITY SECTION: eu. 600 IN SOA a.nic.eu. tech.eurid.eu. 1003425849 3600 1800 360 600 ;; Query time: 930 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Mar 25 08:13:44 2011 ;; MSG SIZE rcvd: 81 % dig +dnssec dnskey fakessh.eu @ns0.xname.org ; DiG 9.6.0-APPLE-P2 +dnssec dnskey fakessh.eu @ns0.xname.org ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 11804 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;fakessh.eu.IN DNSKEY ;; ANSWER SECTION: fakessh.eu. 38400 IN DNSKEY 256 3 5 AwEAAeFYV9JtqoHqpU8vpl+wMFOQjt77N5XgUcove5Apmjwqsx/awcbN Q2+H3hqeJ9f8NRSDUamSLFmvuUJTbDLDxpw9AlNjZNXQysxaQ//lNXKR P2nfrbqMvNnerzdPQ1eF2RqMf5XuOFv6+4UFz/rykszQcK6kH4qIWQ89 Ibk4eXc249MP31vUlgf3tiHyWyqQtD2JJpHY3HwDOYHhKR0Rilk= fakessh.eu. 38400 IN DNSKEY 257 3 5 AwEAAbj75OmR1A8gs1lda3OYTKaY+dy4jVBmflEk/c8g/JDw6UvAqWMz 9KtNIZvGt9E8JMSfaH6VZLY0mWFfCkn7o38= ;; AUTHORITY SECTION: fakessh.eu. 38400 IN NS r13151.ovh.net. fakessh.eu. 38400 IN NS ns0.xname.org. fakessh.eu. 38400 IN NS ns1.xname.org. fakessh.eu. 38400 IN NS ns1.novacrea.fr. fakessh.eu. 38400 IN NS ns2.xname.org. ;; ADDITIONAL SECTION: ns0.xname.org. 600 IN A 195.234.42.1 ns1.xname.org. 600 IN A 87.98.164.164 ns1.novacrea.fr.55352 IN A 94.23.59.30 ns2.xname.org. 600 IN A 88.191.64.64 ns2.xname.org. 600 IN 2a01:e0b:1:64:240:63ff:fee8:6155 ;; Query time: 391 msec ;; SERVER: 195.234.42.1#53(195.234.42.1) ;; WHEN: Fri Mar 25 08:19:34 2011 ;; MSG SIZE rcvd: 515 % despite my efforts to validate isc dlv. I'm always at the same point I can not validate the keys. error below the script isc SUCCESS 94.23.59.30 answered DNSKEY query with rcode NOERROR 3.345:SUCCESS 87.98.186.232 answered DNSKEY query with rcode NOERROR 3.345:SUCCESS 87.98.164.164 answered DNSKEY query with rcode NOERROR 3.345:INFO Total answers: 3 3.346:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.186.232 3.347:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.164.164 3.347:SUCCESS All DNSKEY responses are identical. 3.353:DEBUG VERIFY-DNSKEY: Checking tag=3D41931 flags=3D256 alg=3DRSASHA1 AwEAAbjq...Na0iXShQfc=3D 3.353:DEBUG VERIFY-DNSKEY: Ignoring key. 3.353:DEBUG VERIFY-DNSKEY: Checking tag=3D27979 flags=3D257 alg=3DRSASHA1 AwEAAcNa...y1khCE+CdE=3D 3.353:DEBUG VERIFY-DNSKEY: Ignoring key. 3.353:INFO VERIFY-DNSKEY: 2 DNSKEYs found. 3.353:INFO VERIFY-DNSKEY: 0 keys found after filtering. 3.353:DEBUG VERIFY-DNSKEY: Using keys: 3.353:DEBUG VERIFY-DNSKEY: To verify rrset type DNSKEY 3.353:FAILURE VERIFY-DNSKEY: No keys found after filtering. 3.353:FAILURE DNSKEY
Re: problem for validate the script dnssec to isc dlv
the DS it is necessary that I contact OVH. in the DLV conserne my problem I have this same recurring errors in the script of the isc that's my problem Le vendredi 25 mars 2011 à 09:24 +1100, Mark Andrews a écrit : In message 1301004136.12273.106.camel@localhost.localdomain, fakessh @ writes: Le vendredi 25 mars 2011 =C3=A0 08:24 +1100, Mark Andrews a =C3=A9crit : In message 1300993213.12273.96.camel@localhost.localdomain, fakessh @= write s: hi bind //guru/ hi isc guru hi mark andrews hi michel graff There are no DLV records for fakessh.eu. See below. There are no DS records for fakessh.eu. See below. necessarily because I can not validate the key through via isc dlv One of these is necessary. You have neither. Additionally the DS for fakessh.eu is the best long term solution as it will be used by more people. Mark Two of the nameservers for your zone are not DNSSEC enabled. They do NOT return RRSIG records when asked for the DNSKEY records with DO=1. See below. You need to address these issues. Mark -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem for validate the script dnssec to isc dlv
it is 6 months since I used no worries dlv Le jeudi 24 mars 2011 à 23:21 +0100, fakessh @ a écrit : everything worked just fine until I change the key rdnc. ns in my side and only ns1.novacrea.fr ns1.xname.org are valid for dnssec Le jeudi 24 mars 2011 à 23:02 +0100, fakessh @ a écrit : Le vendredi 25 mars 2011 à 08:24 +1100, Mark Andrews a écrit : In message 1300993213.12273.96.camel@localhost.localdomain, fakessh @ write s: hi bind //guru/ hi isc guru hi mark andrews hi michel graff There are no DLV records for fakessh.eu. See below. There are no DS records for fakessh.eu. See below. necessarily because I can not validate the key through via isc dlv Two of the nameservers for your zone are not DNSSEC enabled. They do NOT return RRSIG records when asked for the DNSKEY records with DO=1. See below. You need to address these issues. Mark % dig fakessh.eu.dlv.isc.org dlv ; DiG 9.6.0-APPLE-P2 fakessh.eu.dlv.isc.org dlv ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 21760 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;fakessh.eu.dlv.isc.org. IN DLV ;; AUTHORITY SECTION: dlv.isc.org. 2793IN SOA ns-int.isc.org. hostmaster.isc.org. 2011032404 7200 3600 2419200 3600 ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Mar 25 08:10:56 2011 ;; MSG SIZE rcvd: 94 % dig ds fakessh.eu ; DiG 9.6.0-APPLE-P2 ds fakessh.eu ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 20600 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;fakessh.eu. IN DS ;; AUTHORITY SECTION: eu. 600 IN SOA a.nic.eu. tech.eurid.eu. 1003425849 3600 1800 360 600 ;; Query time: 930 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Mar 25 08:13:44 2011 ;; MSG SIZE rcvd: 81 % dig +dnssec dnskey fakessh.eu @ns0.xname.org ; DiG 9.6.0-APPLE-P2 +dnssec dnskey fakessh.eu @ns0.xname.org ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 11804 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;fakessh.eu. IN DNSKEY ;; ANSWER SECTION: fakessh.eu. 38400 IN DNSKEY 256 3 5 AwEAAeFYV9JtqoHqpU8vpl+wMFOQjt77N5XgUcove5Apmjwqsx/awcbN Q2+H3hqeJ9f8NRSDUamSLFmvuUJTbDLDxpw9AlNjZNXQysxaQ//lNXKR P2nfrbqMvNnerzdPQ1eF2RqMf5XuOFv6+4UFz/rykszQcK6kH4qIWQ89 Ibk4eXc249MP31vUlgf3tiHyWyqQtD2JJpHY3HwDOYHhKR0Rilk= fakessh.eu. 38400 IN DNSKEY 257 3 5 AwEAAbj75OmR1A8gs1lda3OYTKaY+dy4jVBmflEk/c8g/JDw6UvAqWMz 9KtNIZvGt9E8JMSfaH6VZLY0mWFfCkn7o38= ;; AUTHORITY SECTION: fakessh.eu. 38400 IN NS r13151.ovh.net. fakessh.eu. 38400 IN NS ns0.xname.org. fakessh.eu. 38400 IN NS ns1.xname.org. fakessh.eu. 38400 IN NS ns1.novacrea.fr. fakessh.eu. 38400 IN NS ns2.xname.org. ;; ADDITIONAL SECTION: ns0.xname.org.600 IN A 195.234.42.1 ns1.xname.org.600 IN A 87.98.164.164 ns1.novacrea.fr. 55352 IN A 94.23.59.30 ns2.xname.org.600 IN A 88.191.64.64 ns2.xname.org.600 IN 2a01:e0b:1:64:240:63ff:fee8:6155 ;; Query time: 391 msec ;; SERVER: 195.234.42.1#53(195.234.42.1) ;; WHEN: Fri Mar 25 08:19:34 2011 ;; MSG SIZE rcvd: 515 % despite my efforts to validate isc dlv. I'm always at the same point I can not validate the keys. error below the script isc SUCCESS 94.23.59.30 answered DNSKEY query with rcode NOERROR 3.345:SUCCESS 87.98.186.232 answered DNSKEY query with rcode NOERROR 3.345:SUCCESS 87.98.164.164 answered DNSKEY query with rcode NOERROR 3.345:INFO Total answers: 3 3.346:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.186.232 3.347:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.164.164 3.347:SUCCESS All DNSKEY responses are identical. 3.353:DEBUG VERIFY-DNSKEY: Checking tag=3D41931 flags=3D256 alg=3DRSASHA1 AwEAAbjq...Na0iXShQfc=3D 3.353:DEBUG VERIFY-DNSKEY: Ignoring key. 3.353:DEBUG VERIFY-DNSKEY: Checking tag=3D27979 flags=3D257 alg=3DRSASHA1 AwEAAcNa...y1khCE+CdE=3D 3.353:DEBUG VERIFY-DNSKEY: Ignoring key. 3.353
Re: problem for validate the script dnssec to isc dlv
I did click Click ManageZones Click on (details) Click under More (more) performance test the total result is http://pastebin.com/1bAYHj0d i mail hostmaster of ns1.novacrea.fr is a friend Le vendredi 25 mars 2011 à 10:38 +1100, Mark Andrews a écrit : In message 1301008426.12273.115.camel@localhost.localdomain, fakessh @ writes: it is 6 months since I used no worries dlv What keys do you have recorded with dlv.isc.org? Do they match what you currently have in the zone? Click on ManageZones Click on (details) Under More click on (details) Below is a check run for my personal zone with all the details. You will notice that only one of the DNSKEYs (which is what I submitted to the registry) is accepted. The other, a zone signing key, is filtered out. Unfortunately I don't have a manger bit set on this account so I can't see your zone and hence can't see the keys you have submitted. Mark 0.000:INFO Started: Thu Mar 24 20:36:08 + 2011 0.000:DEBUG RUN: Sending a recursive query for andrews.wattle.id.au NS 0.832:DEBUG RUN: Got response for recursive query andrews.wattle.id.au NS NOERROR 0.832:DEBUG RUN: Got referral 0.839:DEBUG RUN: andrews.wattle.id.au. 300 IN NS ns0.rfc1035.com. 0.839:DEBUG RUN: andrews.wattle.id.au. 300 IN NS sfba.sns-pb.isc.org. 0.839:DEBUG RUN: andrews.wattle.id.au. 300 IN NS ns2.araneus.fi. 0.839:DEBUG RUN: andrews.wattle.id.au. 300 IN NS ord.sns-pb.isc.org. 0.839:DEBUG RUN: andrews.wattle.id.au. 300 IN NS ams.sns-pb.isc.org. 0.839:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ns0.rfc1035.com A 0.849:DEBUG RUN GET_ADDRESSES: Got response for recursive query ns0.rfc1035.com A NOERROR 0.849:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ns0.rfc1035.com 0.854:DEBUG RUN GET_ADDRESSES: Got response for recursive query ns0.rfc1035.com NOERROR 0.855:DEBUG RUN GET_ADDRESSES: Caching address for ns0.rfc1035.com = 93.186.33.42, 2001:4B10:100:7::53 0.857:DEBUG RUN: Enqueued query 1 to 93.186.33.42 for andrews.wattle.id.au DNSKEY 0.859:DEBUG RUN: Enqueued query 2 to 2001:4B10:100:7::53 for andrews.wattle.id.au DNSKEY 0.860:DEBUG RUN GET_ADDRESSES: Sending a recursive query for sfba.sns-pb.isc.org A 0.918:DEBUG RUN GET_ADDRESSES: Got response for recursive query sfba.sns-pb.isc.org A NOERROR 0.918:DEBUG RUN GET_ADDRESSES: Sending a recursive query for sfba.sns-pb.isc.org 1.093:DEBUG RUN GET_ADDRESSES: Got response for recursive query sfba.sns-pb.isc.org NOERROR 1.094:DEBUG RUN GET_ADDRESSES: Caching address for sfba.sns-pb.isc.org = 149.20.64.3, 2001:4F8:0:2::19 1.096:DEBUG RUN: Enqueued query 3 to 149.20.64.3 for andrews.wattle.id.au DNSKEY 1.099:DEBUG RUN: Enqueued query 4 to 2001:4F8:0:2::19 for andrews.wattle.id.au DNSKEY 1.099:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ns2.araneus.fi A 1.144:DEBUG RUN GET_ADDRESSES: Got response for recursive query ns2.araneus.fi A NOERROR 1.144:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ns2.araneus.fi 1.148:DEBUG RUN GET_ADDRESSES: Got response for recursive query ns2.araneus.fi NOERROR 1.148:DEBUG RUN GET_ADDRESSES: Caching address for ns2.araneus.fi = 83.246.72.252 1.150:DEBUG RUN: Enqueued query 5 to 83.246.72.252 for andrews.wattle.id.au DNSKEY 1.150:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ord.sns-pb.isc.org A 1.232:DEBUG RUN GET_ADDRESSES: Got response for recursive query ord.sns-pb.isc.org A NOERROR 1.233:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ord.sns-pb.isc.org 1.240:DEBUG RUN GET_ADDRESSES: Got response for recursive query ord.sns-pb.isc.org NOERROR 1.241:DEBUG RUN GET_ADDRESSES: Caching address for ord.sns-pb.isc.org = 199.6.0.30, 2001:500:71::30 1.243:DEBUG RUN: Enqueued query 6 to 199.6.0.30 for andrews.wattle.id.au DNSKEY 1.246:DEBUG RUN: Enqueued query 7 to 2001:500:71::30 for andrews.wattle.id.au DNSKEY 1.246:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ams.sns-pb.isc.org A 1.362:DEBUG RUN GET_ADDRESSES: Got response for recursive query ams.sns-pb.isc.org A NOERROR 1.363:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ams.sns-pb.isc.org 1.371:DEBUG RUN GET_ADDRESSES: Got response for recursive query ams.sns-pb.isc.org NOERROR 1.371:DEBUG RUN GET_ADDRESSES: Caching address for ams.sns-pb.isc.org = 199.6.1.30, 2001:500:60::30 1.374:DEBUG RUN: Enqueued query 8 to 199.6.1.30 for andrews.wattle.id.au DNSKEY 1.376:DEBUG RUN: Enqueued query 9 to 2001:500:60::30 for andrews.wattle.id.au DNSKEY 1.376:DEBUG RUN: Got activity for 2, from 2001:4B10:100:7::53 1.376:DEBUG RUN: Found answer from 2001:4B10:100:7::53 1.380:DEBUG RUN: Got activity for 1, from 93.186.33.42 1.381:DEBUG RUN: Found answer from 93.186.33.42 1.384:DEBUG RUN: Got activity for 3, from 149.20.64.3 1.384:DEBUG RUN: Found answer from 149.20.64.3 1.388:DEBUG RUN: Got activity for 4, from 2001:4F8:0:2::19
Re: problem for validate the script dnssec to isc dlv
http://secspider.cs.ucla.edu/fakessh-eu--dnskey.txt this page indicate a DSA algorhtyme it's my old algorthyme new is RSA Le vendredi 25 mars 2011 à 01:25 +0100, fakessh @ a écrit : I did click Click ManageZones Click on (details) Click under More (more) performance test the total result is http://pastebin.com/1bAYHj0d i mail hostmaster of ns1.novacrea.fr is a friend Le vendredi 25 mars 2011 à 10:38 +1100, Mark Andrews a écrit : In message 1301008426.12273.115.camel@localhost.localdomain, fakessh @ writes: it is 6 months since I used no worries dlv What keys do you have recorded with dlv.isc.org? Do they match what you currently have in the zone? Click on ManageZones Click on (details) Under More click on (details) Below is a check run for my personal zone with all the details. You will notice that only one of the DNSKEYs (which is what I submitted to the registry) is accepted. The other, a zone signing key, is filtered out. Unfortunately I don't have a manger bit set on this account so I can't see your zone and hence can't see the keys you have submitted. Mark 0.000:INFO Started: Thu Mar 24 20:36:08 + 2011 0.000:DEBUG RUN: Sending a recursive query for andrews.wattle.id.au NS 0.832:DEBUG RUN: Got response for recursive query andrews.wattle.id.au NS NOERROR 0.832:DEBUG RUN: Got referral 0.839:DEBUG RUN: andrews.wattle.id.au. 300 IN NS ns0.rfc1035.com. 0.839:DEBUG RUN: andrews.wattle.id.au. 300 IN NS sfba.sns-pb.isc.org. 0.839:DEBUG RUN: andrews.wattle.id.au. 300 IN NS ns2.araneus.fi. 0.839:DEBUG RUN: andrews.wattle.id.au. 300 IN NS ord.sns-pb.isc.org. 0.839:DEBUG RUN: andrews.wattle.id.au. 300 IN NS ams.sns-pb.isc.org. 0.839:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ns0.rfc1035.com A 0.849:DEBUG RUN GET_ADDRESSES: Got response for recursive query ns0.rfc1035.com A NOERROR 0.849:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ns0.rfc1035.com 0.854:DEBUG RUN GET_ADDRESSES: Got response for recursive query ns0.rfc1035.com NOERROR 0.855:DEBUG RUN GET_ADDRESSES: Caching address for ns0.rfc1035.com = 93.186.33.42, 2001:4B10:100:7::53 0.857:DEBUG RUN: Enqueued query 1 to 93.186.33.42 for andrews.wattle.id.au DNSKEY 0.859:DEBUG RUN: Enqueued query 2 to 2001:4B10:100:7::53 for andrews.wattle.id.au DNSKEY 0.860:DEBUG RUN GET_ADDRESSES: Sending a recursive query for sfba.sns-pb.isc.org A 0.918:DEBUG RUN GET_ADDRESSES: Got response for recursive query sfba.sns-pb.isc.org A NOERROR 0.918:DEBUG RUN GET_ADDRESSES: Sending a recursive query for sfba.sns-pb.isc.org 1.093:DEBUG RUN GET_ADDRESSES: Got response for recursive query sfba.sns-pb.isc.org NOERROR 1.094:DEBUG RUN GET_ADDRESSES: Caching address for sfba.sns-pb.isc.org = 149.20.64.3, 2001:4F8:0:2::19 1.096:DEBUG RUN: Enqueued query 3 to 149.20.64.3 for andrews.wattle.id.au DNSKEY 1.099:DEBUG RUN: Enqueued query 4 to 2001:4F8:0:2::19 for andrews.wattle.id.au DNSKEY 1.099:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ns2.araneus.fi A 1.144:DEBUG RUN GET_ADDRESSES: Got response for recursive query ns2.araneus.fi A NOERROR 1.144:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ns2.araneus.fi 1.148:DEBUG RUN GET_ADDRESSES: Got response for recursive query ns2.araneus.fi NOERROR 1.148:DEBUG RUN GET_ADDRESSES: Caching address for ns2.araneus.fi = 83.246.72.252 1.150:DEBUG RUN: Enqueued query 5 to 83.246.72.252 for andrews.wattle.id.au DNSKEY 1.150:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ord.sns-pb.isc.org A 1.232:DEBUG RUN GET_ADDRESSES: Got response for recursive query ord.sns-pb.isc.org A NOERROR 1.233:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ord.sns-pb.isc.org 1.240:DEBUG RUN GET_ADDRESSES: Got response for recursive query ord.sns-pb.isc.org NOERROR 1.241:DEBUG RUN GET_ADDRESSES: Caching address for ord.sns-pb.isc.org = 199.6.0.30, 2001:500:71::30 1.243:DEBUG RUN: Enqueued query 6 to 199.6.0.30 for andrews.wattle.id.au DNSKEY 1.246:DEBUG RUN: Enqueued query 7 to 2001:500:71::30 for andrews.wattle.id.au DNSKEY 1.246:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ams.sns-pb.isc.org A 1.362:DEBUG RUN GET_ADDRESSES: Got response for recursive query ams.sns-pb.isc.org A NOERROR 1.363:DEBUG RUN GET_ADDRESSES: Sending a recursive query for ams.sns-pb.isc.org 1.371:DEBUG RUN GET_ADDRESSES: Got response for recursive query ams.sns-pb.isc.org NOERROR 1.371:DEBUG RUN GET_ADDRESSES: Caching address for ams.sns-pb.isc.org = 199.6.1.30, 2001:500:60::30 1.374:DEBUG RUN: Enqueued query 8 to 199.6.1.30 for andrews.wattle.id.au DNSKEY 1.376:DEBUG RUN: Enqueued query 9 to 2001:500:60::30 for andrews.wattle.id.au DNSKEY 1.376:DEBUG RUN: Got activity for 2, from 2001:4B10:100:7::53 1.376:DEBUG RUN
Re: problem for validate the script dnssec to isc dlv
Le vendredi 25 mars 2011 à 09:24 +1100, Mark Andrews a écrit : In message 1301004136.12273.106.camel@localhost.localdomain, fakessh @ writes: Le vendredi 25 mars 2011 =C3=A0 08:24 +1100, Mark Andrews a =C3=A9crit : In message 1300993213.12273.96.camel@localhost.localdomain, fakessh @= write s: hi bind //guru/ hi isc guru hi mark andrews hi michel graff There are no DLV records for fakessh.eu. See below. There are no DS records for fakessh.eu. See below. necessarily because I can not validate the key through via isc dlv One of these is necessary. You have neither. Additionally the DS for fakessh.eu is the best long term solution as it will be used by more people. Mark additionally my registar OVH has not yet DNSSEC deployment and I do not know if I can deposit my DS already me if I insist Two of the nameservers for your zone are not DNSSEC enabled. They do NOT return RRSIG records when asked for the DNSKEY records with DO=1. See below. You need to address these issues. Mark -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc-key has expired
I edit the file named.conf
modification
update-policy {
grant * self * A TXT;
};
to update-policy local;
it seems more logical.
but I'm still stuck on the validation of isc dlv. the script tells me
lost keys
and I am therefore blocks
any update is welcome
Le mercredi 23 mars 2011 à 02:30 +0100, fakessh @ a écrit :
I changed options
update-policy {
grant fakessh.eu. name fakessh.eu. A TXT;
};
since
update-policy {
grant * self * A TXT;
};
Le mardi 22 mars 2011 à 14:59 +0100, fakessh @ a écrit :
hi bind guru
It appears after the log that my signature rndc-key has expired. how to
update it
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
gpg --keyserver pgp.mit.edu --recv-key 092164A7
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7
signature.asc
Description: Ceci est une partie de message numériquement signée
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc-key has expired
I use and bind rndc and dlv isc for dnssec
my zone config like this
zone renelacroute.fr {
type master;
file /var/named/renelacroute.fr.hosts;
auto-dnssec maintain;
update-policy local;
key-directory /var/named/keys/;
allow-transfer { 213.251.*.*;87.98.*.*; 195.234.*.*;94.23.*.\
*; 193.223.*.*; };
};
and my log dnssec it is
23-Mar-2011 16:18:17.701 dnssec: debug 2: tsig key 'rndc-key': signature
has expired
23-Mar-2011 16:18:17.701 dnssec: debug 2: tsig key 'rndc-key': signature
has expired
23-Mar-2011 16:18:18.244 dnssec: debug 2: tsig key 'rndc-key': signature
has expired
I can not use the script to validate the answers (for dnssec ) I isc
SUCCESS 94.23.59.30 answered DNSKEY query with rcode NOERROR
5.814:SUCCESS 87.98.164.164 answered DNSKEY query with rcode NOERROR
5.814:SUCCESS 87.98.186.232 answered DNSKEY query with rcode NOERROR
5.814:INFO Total answers: 3
5.815:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.164.164
5.815:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.186.232
5.816:SUCCESS All DNSKEY responses are identical.
5.822:DEBUG VERIFY-DNSKEY: Checking tag=62721 flags=256 alg=RSASHA1
AwEAAb20...UzDMzFplHk=
5.822:DEBUG VERIFY-DNSKEY: Ignoring key.
5.822:DEBUG VERIFY-DNSKEY: Checking tag=48793 flags=257 alg=RSASHA1
AwEAAbj7...WFfCkn7o38=
5.822:DEBUG VERIFY-DNSKEY: Ignoring key.
5.822:INFO VERIFY-DNSKEY: 2 DNSKEYs found.
5.822:INFO VERIFY-DNSKEY: 0 keys found after filtering.
5.822:DEBUG VERIFY-DNSKEY: Using keys:
5.822:DEBUG VERIFY-DNSKEY: To verify rrset type DNSKEY
5.822:FAILURE VERIFY-DNSKEY: No keys found after filtering.
5.822:FAILURE DNSKEY signature did not validate.
5.822:FINAL_FAILURE FAILURE
Le mercredi 23 mars 2011 à 09:29 +0100, Eivind Olsen a écrit :
I edit the file named.conf
modification
update-policy {
grant * self * A TXT;
};
to update-policy local;
it seems more logical.
but I'm still stuck on the validation of isc dlv. the script tells me
lost keys
Which script? What exactly does it say?
I'm guessing you might have enabled dynamic updates in a DNSSEC signed
zone, without BIND having access to the private keys needed to sign, but
that's a wild guess really.
Regards
Eivind Olsen
--
gpg --keyserver pgp.mit.edu --recv-key 092164A7
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7
signature.asc
Description: Ceci est une partie de message numériquement signée
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc-key has expired
hi isc
hi list
hi guru of bind
errors continue to recur rndc-key expired
But I apply the command for create the key
dnssec-keygen -a HMAC-MD5 -b 512 -n HOST rndc-key
Le mercredi 23 mars 2011 à 16:24 +0100, fakessh @ a écrit :
I use and bind rndc and dlv isc for dnssec
my zone config like this
zone renelacroute.fr {
type master;
file /var/named/renelacroute.fr.hosts;
auto-dnssec maintain;
update-policy local;
key-directory /var/named/keys/;
allow-transfer { 213.251.*.*;87.98.*.*; 195.234.*.*;94.23.*.\
*; 193.223.*.*; };
};
and my log dnssec it is
23-Mar-2011 16:18:17.701 dnssec: debug 2: tsig key 'rndc-key': signature
has expired
23-Mar-2011 16:18:17.701 dnssec: debug 2: tsig key 'rndc-key': signature
has expired
23-Mar-2011 16:18:18.244 dnssec: debug 2: tsig key 'rndc-key': signature
has expired
I can not use the script to validate the answers (for dnssec ) I isc
SUCCESS 94.23.59.30 answered DNSKEY query with rcode NOERROR
5.814:SUCCESS 87.98.164.164 answered DNSKEY query with rcode NOERROR
5.814:SUCCESS 87.98.186.232 answered DNSKEY query with rcode NOERROR
5.814:INFO Total answers: 3
5.815:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.164.164
5.815:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.186.232
5.816:SUCCESS All DNSKEY responses are identical.
5.822:DEBUG VERIFY-DNSKEY: Checking tag=62721 flags=256 alg=RSASHA1
AwEAAb20...UzDMzFplHk=
5.822:DEBUG VERIFY-DNSKEY: Ignoring key.
5.822:DEBUG VERIFY-DNSKEY: Checking tag=48793 flags=257 alg=RSASHA1
AwEAAbj7...WFfCkn7o38=
5.822:DEBUG VERIFY-DNSKEY: Ignoring key.
5.822:INFO VERIFY-DNSKEY: 2 DNSKEYs found.
5.822:INFO VERIFY-DNSKEY: 0 keys found after filtering.
5.822:DEBUG VERIFY-DNSKEY: Using keys:
5.822:DEBUG VERIFY-DNSKEY: To verify rrset type DNSKEY
5.822:FAILURE VERIFY-DNSKEY: No keys found after filtering.
5.822:FAILURE DNSKEY signature did not validate.
5.822:FINAL_FAILURE FAILURE
Le mercredi 23 mars 2011 à 09:29 +0100, Eivind Olsen a écrit :
I edit the file named.conf
modification
update-policy {
grant * self * A TXT;
};
to update-policy local;
it seems more logical.
but I'm still stuck on the validation of isc dlv. the script tells me
lost keys
Which script? What exactly does it say?
I'm guessing you might have enabled dynamic updates in a DNSSEC signed
zone, without BIND having access to the private keys needed to sign, but
that's a wild guess really.
Regards
Eivind Olsen
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
gpg --keyserver pgp.mit.edu --recv-key 092164A7
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7
signature.asc
Description: Ceci est une partie de message numériquement signée
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc-key has expired
hi guru I'm walking on the same server rndc and named Le mercredi 23 mars 2011 à 14:46 -0400, Joseph S D Yao a écrit : What is this??? To: fakessh @ fake...@fakessh.eu On Tue, Mar 22, 2011 at 02:59:22PM +0100, fakessh @ wrote: hi bind guru It appears after the log that my signature rndc-key has expired. how to update it -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 Are you running 'rndc' from the same server on which the 'named' is running? If not, make sure that both have the same time. -- /*\ ** ** Joe Yaoj...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc-key has expired
I can wait how long before this ends? Le mercredi 23 mars 2011 à 14:46 -0400, Joseph S D Yao a écrit : What is this??? To: fakessh @ fake...@fakessh.eu On Tue, Mar 22, 2011 at 02:59:22PM +0100, fakessh @ wrote: hi bind guru It appears after the log that my signature rndc-key has expired. how to update it -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 Are you running 'rndc' from the same server on which the 'named' is running? If not, make sure that both have the same time. -- /*\ ** ** Joe Yaoj...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
rndc-key has expired
hi bind guru It appears after the log that my signature rndc-key has expired. how to update it -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc-key has expired
I changed options
update-policy {
grant fakessh.eu. name fakessh.eu. A TXT;
};
since
update-policy {
grant * self * A TXT;
};
Le mardi 22 mars 2011 à 14:59 +0100, fakessh @ a écrit :
hi bind guru
It appears after the log that my signature rndc-key has expired. how to
update it
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
gpg --keyserver pgp.mit.edu --recv-key 092164A7
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7
signature.asc
Description: Ceci est une partie de message numériquement signée
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: problem validate key of isc dlv
I managed to walk isc dlv with only 2 servers with active dnssec above. and I quote ns1.novacrea.fr and ns1.xname.org. it produced no problem before Le lundi 21 mars 2011 à 07:45 +0100, Torinthiel a écrit : On 03/21/11 02:13, fakessh @ wrote: Yes, I bothered to redeploy new keys, fields TXT, a new signature. and more on a new rehabilitation isc dlv. I still get the same error nb : Simply debuggers dnssec still provide all kinds of resultasts And that's probably the main problem. Two of your nameservers have either disabled DNSSec, or don't support it at all: Correct answer: $ dig +dnssec +norecurse +noall +answer dnskey fakessh.eu @r13151.ovh.net. fakessh.eu. 38400 IN DNSKEY 257 3 5 AwEAAbwO9edhHAn00RfAzMEwBdcYK1fnP16vh9BXltHrdAesHRFJ7G0l tT4GyBgQcjFZyfk/HdHpnlDuT8fkjXphfS8= fakessh.eu. 38400 IN DNSKEY 256 3 5 AwEAAb1qeaah5D2pS+IcZiJiyZRA3KTgaV0/Sd8kSfzfbI3X45XZ7aLb tIoN/kLJc2G7qAdqnSmoiN+TojG+UQeAtYE= fakessh.eu. 38400 IN RRSIG DNSKEY 5 2 38400 20110419151040 20110320151040 10231 fakessh.eu. VeCJRPlvC6gr+3f/OuMCrFQR42oQkDxJ7nTfLcJMH2XwPyvBOdR/nv55 ZSs5wJ5Bl5CKAZjMRyWrUtM/wSGdTw== fakessh.eu. 38400 IN RRSIG DNSKEY 5 2 38400 20110419151040 20110320151040 30111 fakessh.eu. Y1DqOwGfRTxNdFruvOSalp8pVy+FWd/G+pqs+Qu4tkkLvanHcTisDSXA JqbKvZpRrwGoL9o+5wKwPisDDqtf6g== And incorrect (note missing RRSIGs): dig +dnssec +noall +answer dnskey fakessh.eu @ns0.xname.org. fakessh.eu. 38400 IN DNSKEY 257 3 5 AwEAAbwO9edhHAn00RfAzMEwBdcYK1fnP16vh9BXltHrdAesHRFJ7G0l tT4GyBgQcjFZyfk/HdHpnlDuT8fkjXphfS8= fakessh.eu. 38400 IN DNSKEY 256 3 5 AwEAAb1qeaah5D2pS+IcZiJiyZRA3KTgaV0/Sd8kSfzfbI3X45XZ7aLb tIoN/kLJc2G7qAdqnSmoiN+TojG+UQeAtYE= dig +dnssec +noall +answer dnskey fakessh.eu @ns2.xname.org. fakessh.eu. 38400 IN DNSKEY 256 3 5 AwEAAb1qeaah5D2pS+IcZiJiyZRA3KTgaV0/Sd8kSfzfbI3X45XZ7aLb tIoN/kLJc2G7qAdqnSmoiN+TojG+UQeAtYEA fakessh.eu. 38400 IN DNSKEY 257 3 5 AwEAAbwO9edhHAn00RfAzMEwBdcYK1fnP16vh9BXltHrdAesHRFJ7G0l tT4GyBgQcjFZyfk/HdHpnlDuT8fkjXphfS8A ISC doesn't publish your DLV record, because it has to see consistent view of your zone. And it doesn't as you have missing RRSIGS from some nameservers. Either convince admins to deploy DNSSec or drop those nameservers. Then it should work. Torinthiel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
problem validate key of isc dlv
hello bind network and duru. I can not validate the key dlv via the website of the isc. I do not understand why the warning is the isc you have an explanation SUCCESS 94.23.59.30 answered DNSKEY query with rcode NOERROR 4.502:SUCCESS 87.98.164.164 answered DNSKEY query with rcode NOERROR 4.502:SUCCESS 87.98.186.232 answered DNSKEY query with rcode NOERROR 4.502:INFO Total answers: 3 4.503:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.164.164 4.504:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.186.232 4.504:SUCCESS All DNSKEY responses are identical. 4.515:DEBUG VERIFY-DNSKEY: Checking tag=10231 flags=257 alg=RSASHA1 AwEAAbwO...8fkjXphfS8= 4.515:DEBUG VERIFY-DNSKEY: Ignoring key. 4.515:DEBUG VERIFY-DNSKEY: Checking tag=30111 flags=256 alg=RSASHA1 AwEAAb1q...jG+UQeAtYE= 4.515:DEBUG VERIFY-DNSKEY: Ignoring key. 4.515:INFO VERIFY-DNSKEY: 2 DNSKEYs found. 4.515:INFO VERIFY-DNSKEY: 0 keys found after filtering. 4.515:DEBUG VERIFY-DNSKEY: Using keys: 4.516:DEBUG VERIFY-DNSKEY: To verify rrset type DNSKEY 4.516:FAILURE VERIFY-DNSKEY: No keys found after filtering. 4.516:FAILURE DNSKEY signature did not validate. 4.516:FINAL_FAILURE FAILURE -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem validate key of isc dlv
and what do I do. and what is this other publication of another DS Le lundi 21 mars 2011 à 08:25 +1100, Mark Andrews a écrit : In message 1300650238.6651.15.camel@localhost.localdomain, fakessh @ writes : hello bind network and duru. I can not validate the key dlv via the website of the isc. I do not understand why the warning is the isc you have an explanation SUCCESS 94.23.59.30 answered DNSKEY query with rcode NOERROR 4.502:SUCCESS 87.98.164.164 answered DNSKEY query with rcode NOERROR 4.502:SUCCESS 87.98.186.232 answered DNSKEY query with rcode NOERROR 4.502:INFO Total answers: 3 4.503:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.164.164 4.504:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.186.232 4.504:SUCCESS All DNSKEY responses are identical. 4.515:DEBUG VERIFY-DNSKEY: Checking tag=10231 flags=257 alg=RSASHA1 AwEAAbwO...8fkjXphfS8= 4.515:DEBUG VERIFY-DNSKEY: Ignoring key. 4.515:DEBUG VERIFY-DNSKEY: Checking tag=30111 flags=256 alg=RSASHA1 AwEAAb1q...jG+UQeAtYE= 4.515:DEBUG VERIFY-DNSKEY: Ignoring key. 4.515:INFO VERIFY-DNSKEY: 2 DNSKEYs found. 4.515:INFO VERIFY-DNSKEY: 0 keys found after filtering. 4.515:DEBUG VERIFY-DNSKEY: Using keys: 4.516:DEBUG VERIFY-DNSKEY: To verify rrset type DNSKEY 4.516:FAILURE VERIFY-DNSKEY: No keys found after filtering. 4.516:FAILURE DNSKEY signature did not validate. 4.516:FINAL_FAILURE FAILURE Based on the key tags and the truncated keys I think these keys are for fakessh.eu and if so there isn't a DLV record or a DS published for fakessh.eu. The only other thing the validator can check against is any installed trust-anchor. Mark ; DiG 9.6.0-APPLE-P2 fakessh.eu.dlv.isc.org dlv ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 48161 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ; DiG 9.6.0-APPLE-P2 fakessh.eu ds ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 63623 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem validate key of isc dlv
Le dimanche 20 mars 2011 à 22:47 +0100, Torinthiel a écrit : On 03/20/11 22:33, fakessh @ wrote: and what do I do. You have to add your key to ISC's DLV registry. Go to dlv.isc.org, create account, login, add a zone, add keys for it and publish a record in your zone validating that you're the owner of the zone. You will be told what to do after you create zone. that's what I did I made a post on my blog explaining how I do goo.gl/EAbCB and what is this other publication of another DS I have no idea what do you mean by this sentence. Torinthiel Le lundi 21 mars 2011 à 08:25 +1100, Mark Andrews a écrit : In message 1300650238.6651.15.camel@localhost.localdomain, fakessh @ writes : hello bind network and duru. I can not validate the key dlv via the website of the isc. I do not understand why the warning is the isc you have an explanation SUCCESS 94.23.59.30 answered DNSKEY query with rcode NOERROR 4.502:SUCCESS 87.98.164.164 answered DNSKEY query with rcode NOERROR 4.502:SUCCESS 87.98.186.232 answered DNSKEY query with rcode NOERROR 4.502:INFO Total answers: 3 4.503:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.164.164 4.504:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.186.232 4.504:SUCCESS All DNSKEY responses are identical. 4.515:DEBUG VERIFY-DNSKEY: Checking tag=10231 flags=257 alg=RSASHA1 AwEAAbwO...8fkjXphfS8= 4.515:DEBUG VERIFY-DNSKEY: Ignoring key. 4.515:DEBUG VERIFY-DNSKEY: Checking tag=30111 flags=256 alg=RSASHA1 AwEAAb1q...jG+UQeAtYE= 4.515:DEBUG VERIFY-DNSKEY: Ignoring key. 4.515:INFO VERIFY-DNSKEY: 2 DNSKEYs found. 4.515:INFO VERIFY-DNSKEY: 0 keys found after filtering. 4.515:DEBUG VERIFY-DNSKEY: Using keys: 4.516:DEBUG VERIFY-DNSKEY: To verify rrset type DNSKEY 4.516:FAILURE VERIFY-DNSKEY: No keys found after filtering. 4.516:FAILURE DNSKEY signature did not validate. 4.516:FINAL_FAILURE FAILURE Based on the key tags and the truncated keys I think these keys are for fakessh.eu and if so there isn't a DLV record or a DS published for fakessh.eu. The only other thing the validator can check against is any installed trust-anchor. Mark ; DiG 9.6.0-APPLE-P2 fakessh.eu.dlv.isc.org dlv ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 48161 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ; DiG 9.6.0-APPLE-P2 fakessh.eu ds ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 63623 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem validate key of isc dlv
Le lundi 21 mars 2011 à 10:58 +1100, Mark Andrews a écrit : In message 1300660825.6651.21.camel@localhost.localdomain, fakessh @ writes that's what I did I made =E2=80=8B=E2=80=8Ba post on my blog explaining how I do goo.gl/EAbCB Have you changed your DNSKEY's since you did that? If you have did you update the zone in your account on dlv.isc.org? What does dlv.isc.org have to say about fakessh.eu? I recreate a whole series of keys with a new field TXT I resigned to the keys I have on my account revalidates isc I have created to 11am GMT , this and what is this other publication of another DS In the end you should have a DS RRset published in the .EU zone for fakessh.EU. .EU claim to implement DNSSEC and that should mean that you can get DS records addeded for your zone. this may be the reason for this problem I have no idea what do you mean by this sentence. Torinthiel - -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem validate key of isc dlv
Yes, I bothered to redeploy new keys, fields TXT, a new signature. and more on a new rehabilitation isc dlv. I still get the same error nb : Simply debuggers dnssec still provide all kinds of resultasts Le lundi 21 mars 2011 à 10:58 +1100, Mark Andrews a écrit : In message 1300660825.6651.21.camel@localhost.localdomain, fakessh @ writes : Le dimanche 20 mars 2011 =C3=A0 22:47 +0100, Torinthiel a =C3=A9crit : On 03/20/11 22:33, fakessh @ wrote: and what do I do.=20 =20 You have to add your key to ISC's DLV registry. Go to dlv.isc.org, create account, login, add a zone, add keys for it and publish a record in your zone validating that you're the owner of the zone. You will be told what to do after you create zone. =20 that's what I did I made =E2=80=8B=E2=80=8Ba post on my blog explaining how I do goo.gl/EAbCB Have you changed your DNSKEY's since you did that? If you have did you update the zone in your account on dlv.isc.org? What does dlv.isc.org have to say about fakessh.eu? and what is this other publication of another DS In the end you should have a DS RRset published in the .EU zone for fakessh.EU. .EU claim to implement DNSSEC and that should mean that you can get DS records addeded for your zone. I have no idea what do you mean by this sentence. Torinthiel =20 =20 =20 Le lundi 21 mars 2011 =C3=A0 08:25 +1100, Mark Andrews a =C3=A9crit : In message 1300650238.6651.15.camel@localhost.localdomain, fakessh = @ writes : hello bind network and duru.=20 I can not validate the key dlv via the website of the isc.=20 I do not understand why the warning is the isc=20 you have an explanation SUCCESS 94.23.59.30 answered DNSKEY query with rcode NOERROR 4.502:SUCCESS 87.98.164.164 answered DNSKEY query with rcode NOERROR 4.502:SUCCESS 87.98.186.232 answered DNSKEY query with rcode NOERROR 4.502:INFO Total answers: 3 4.503:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.164.= 164 4.504:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.186.= 232 4.504:SUCCESS All DNSKEY responses are identical. 4.515:DEBUG VERIFY-DNSKEY: Checking tag=3D10231 flags=3D257 alg=3DRSA= SHA1 AwEAAbwO...8fkjXphfS8=3D 4.515:DEBUG VERIFY-DNSKEY: Ignoring key. 4.515:DEBUG VERIFY-DNSKEY: Checking tag=3D30111 flags=3D256 alg=3DRSA= SHA1 AwEAAb1q...jG+UQeAtYE=3D 4.515:DEBUG VERIFY-DNSKEY: Ignoring key. 4.515:INFO VERIFY-DNSKEY: 2 DNSKEYs found. 4.515:INFO VERIFY-DNSKEY: 0 keys found after filtering. 4.515:DEBUG VERIFY-DNSKEY: Using keys: 4.516:DEBUG VERIFY-DNSKEY: To verify rrset type DNSKEY 4.516:FAILURE VERIFY-DNSKEY: No keys found after filtering. 4.516:FAILURE DNSKEY signature did not validate. 4.516:FINAL_FAILURE FAILURE Based on the key tags and the truncated keys I think these keys are for fakessh.eu and if so there isn't a DLV record or a DS published for fakessh.eu. The only other thing the validator can check against is any installed trust-anchor. Mark ; DiG 9.6.0-APPLE-P2 fakessh.eu.dlv.isc.org dlv ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 48161 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ; DiG 9.6.0-APPLE-P2 fakessh.eu ds ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 63623 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 --=20 gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=3Dgetsearch=3D0x092164A7 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users =20 =20 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users --=20 gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=3Dgetsearch=3D0x092164A7 --=-PTfCUNzbM6WN0AFHL2g3 Content-Type: application/pgp-signature; name=signature.asc Content-Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?= -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQBNhoJZtXI/OwkhZKcRAujMAKCIR7D4r7o+rVlue7jdtUvzrIqAbwCcD9gt hw37QYLE5IuLPQXgUQI3qWc= =hDB7 -END PGP SIGNATURE- --=-PTfCUNzbM6WN0AFHL2g3-- --===8269614476746204563== Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
key DNSKEY for areas zone .eu
hi bind network hi guru of bind is there a special key DNSKEY for areas zone .eu or should we be satisfied keys included in the tarball of bind thanks for your return -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RHEL5 BIND in PROD
I recompile the source rpm fedora core 14 bind 9.7.3 to EL4 and EL5 with koji see my blog for explanations http://fakessh.eu/2011/03/10/bind-9-7-3-sur-centos-5-5-depuis-rpm-source-fecora-14/ Le mardi 15 mars 2011 à 09:45 -0400, Mike Diggins a écrit : I'm about to transition my name servers from Solaris 10 to RedHat Linux 5.6. I'm debating whether to compile BIND directly from source as I usually do or use one of the RHEL packages, likely the newly released 9.7.0-6.P2. I would like to make our DNS a little more appliance based to ease some of the support burden. I'm also concerned with stability over new features. I'm interested to know what others are doing. -Mike ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
necessary to have a secondary dns ipv6
hello bind guru and list How is it necessary to have a secondary dns ipv6 to properly establish a connection ipv6 thanks for your return -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: inconsistency dnssec debuguers response and writing conseil for new areas zone
Le mardi 01 mars 2011 à 09:34 +0100, Laurent Bauer a écrit : On 28/02/2011 23:35, fakessh @ wrote: This is not handled yet. The .FR zone has been signed since september 2010, but submitting DS for child zones will be supported later this year. See http://operations.afnic.fr for more information. thank you for taking the trouble to answer me. I therefore rest with my chain of security provided by isc dlv and wait for the DS flag a chance to insert later. but I wonder one thing I'm not a registar I am a passionate individual, how I'm going to do later for the flag for my DS .eu domain and .fr? I do not know and still do not understand how You will have to ask your registrar to submit the DS to the parent zone, just as you have to ask your registrar my registrar OVH not implement dnssec for yet when you want to change the NS for your zone. i use other dns secondary that does not come from ovh use isc dlv If they are already implementing DNSSEC, ask them what you are supposed to provide (the KSK or the DS only) ; for the submission in isc dlv we have their key to submit and we get a new text record it is easy to initiate I guess there must be a FAQ not FAQ to explicite for implement a DS record somewhere on the control panel. is the repeat isc dlv seems to accept the flag DS in my case i have to a file dsset-fakessh.eu but the file contains two keys DS and i don't know which to use Eurid is already ready for DS submission, so you will be able to complete the whole chain of trust for your .eu domain, if your registrar is DNSSEC ready. Laurent ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: inconsistency dnssec debuguers response and writing conseil for new areas zone
as I now know what key DS uses. I logged into my account and I moved isc dlv record SHA1 DS, and I thought to receive a new record or something like that. well no reply from the ISC is : A corresponding DNSKEY already exists for this record. All comments are welcome to help me find a solution nb : I publish on my blog a little article on dnssec http://fakessh.eu/2011/02/16/faire-marcher-dnssec-sur-son-serveur/ Le mardi 01 mars 2011 à 21:00 +0100, Torinthiel a écrit : On 03/01/11 20:17, fakessh @ wrote: is the repeat isc dlv seems to accept the flag DS in my case i have to a file dsset-fakessh.eu but the file contains two keys DS and i don't know which to use The DS you have are both for the same key, only one is SHA1 and other SHA256. You could try any of them, but see below. ISC DLV accepts keys, you have to create an account, add your zone and keys for it. I remember having some trouble trying to add DS records, but DNSKEY worked fine. Of course the zone has to be signed using that key, and ISC asks you to add a TXT record at dlv.your.zone (or something similar) to prove your ability to modify the zone. The procedure is simple and well defined. And about OVH - I don't know if it's related, but I've asked Polish OVH how about providing DNSSEC, as .pl is planned to be signed mid-year, and they've answered me they will probably be ready. This might, or might not be related to providing DNSSEC by other OVH branches and for other registries. Torinthiel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: inconsistency dnssec debuguers response and writing conseil for new areas zone
Le lundi 28 février 2011 à 20:14 +0100, Laurent Bauer a écrit : Eivind Olsen wrote: Well, I see a few different errors for that domain: I don't see any DS records for your domain when I query the fr. nameservers. I don't know how it's handled in that TLD but I guess you somehow need to tell your registrar about your KSK, so they can put in the correct DS record. This is not handled yet. The .FR zone has been signed since september 2010, but submitting DS for child zones will be supported later this year. See http://operations.afnic.fr for more information. thank you for taking the trouble to answer me. I therefore rest with my chain of security provided by isc dlv and wait for the DS flag a chance to insert later. but I wonder one thing I'm not a registar I am a passionate individual, how I'm going to do later for the flag for my DS .eu domain and .fr? I do not know and still do not understand how Laurent ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: service if s/up/down/g ipv6
Le lundi 24 janvier 2011 00:04, vous avez écrit : At this stage I think you will need to post the zone so we can see what you have done. Also the named.conf zone clause for ovh.net. Marc thank you for your attention as you bear me, thank you very humbly i paste my named.conf and the zone whitout signatures , work for me http://pastebin.com/7Be9FavZ http://pastebin.com/XFuc45tM nb : if I create a new thread in the list Excuse me Mark has bothered to answer me personally in my INBOX from the list, so I think my answer will not be synchronized with the list -- http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 gpg --keyserver pgp.mit.edu --recv-key 092164A7 pgpdoLshF59Un.pgp Description: PGP signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: service if s/up/down/g ipv6
thank you for this very constructive reflection. I just changed the zone r13151.ovh.net it contained only fields ptr ns and I just added a field and . I increment the serial then all and apply rndc reload flush reconfig sign all zone dig answer now seems r13151 ~]# dig +short r13151.ovh.net 2001:41d0:2:3dd6:1234:5678:9abc:def0 Le lundi 24 janvier 2011 à 17:57 +0100, Eivind Olsen a écrit : http://pastebin.com/7Be9FavZ That zonefile seems to be for fakessh.eu, and not for ovh.net. Your initial problem was regarding IPv6 towards r13151.ovh.net ? If so, that's the zonefile we'll need to look at. Regards Eivind Olsen ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
service if s/up/down/g ipv6
hello administrators bind. How is it necessary to have a secondary dns server ipv6 in to establish a connection ipv6. I like ipv6 me and one of someone else yet I can not properly establish connections ipv6 I do not even know if I r13151.ovh.net answer properly in ipv6 sincerely -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: service if s/up/down/g ipv6
hello I tried to make a simple box ipv6 r13151.ovh.net did not I know about registration . my domain names such fakessh.eu owns a recording well. how to properly configure a zone ipv6 thanks Le dimanche 23 janvier 2011 à 03:41 +0100, Eivind Olsen a écrit : administrators bind. How is it necessary to have a secondary dns server ipv6 in to establish a connection ipv6. I like ipv6 me and one of someone else yet I can not properly establish connections ipv6 I do not even know if I r13151.ovh.net answer properly in ipv6 I'm not 100% sure I understand the question. I don't see any record for r13151.ovh.net, only a normal IPv4 A record: Eivind-mac:~ eivind$ dig +short a r13151.ovh.net 87.98.186.232 Eivind-mac:~ eivind$ dig +short r13151.ovh.net Eivind-mac:~ eivind$ Regards Eivind Olsen ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to proper include DS record on key dnssec
hello bind network and hello dnssec network admin. thank you for answered, I think I found a solution to my problem. $INCLUDE directive is that I have to handle example: $INCLUDE /var/named/keys/dsset-fakessh.eu. fakessh.eu $INCLUDE /var/named/keys/keyset-fakessh.eu. fakessh.eu and perform a complete resignatures area zone this should enable me to have the flag DS and DS sign, DLV and DLV sign in my area zone its right thanks for your return many return are welcome Le jeudi 13 janvier 2011 à 12:36 -0500, Paul Wouters a écrit : On Thu, 13 Jan 2011, fakessh @ wrote: I correctly configure my server centos dnssec on with as a representative of encryptions dlv isc. my question is relevant and was already asked but I have not found the complete answer on google. my question is how to include the DS record in the Keys. my keys are in a separate folder. the DS record is already generated in The DS record goes into the parent zone, not the zone itself. I also wonder the utility of this good record given that my signatures are marked as good on dlv Use any public DNS server with dlv configured. eg nssec.xelerance.net: dig +dnssec -t ds yourzone @nssec.xelerance.net what file in the include directive must be accomplished and realize how well inclusion of the DS record (what should be the proper syntax on how to declare dlv isc) how to re-sign after the keys You give your DS via http://dlv.isc.org/ Paul -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
how to proper include DS record on key dnssec
hello bind network hello dnssec network admin. I correctly configure my server centos dnssec on with as a representative of encryptions dlv isc. my question is relevant and was already asked but I have not found the complete answer on google. my question is how to include the DS record in the Keys. my keys are in a separate folder. the DS record is already generated in I also wonder the utility of this good record given that my signatures are marked as good on dlv I read that a single include file in the keys was the right approach but I would like to have more precision on the proper conduct of this operation what file in the include directive must be accomplished and realize how well inclusion of the DS record (what should be the proper syntax on how to declare dlv isc) how to re-sign after the keys this is it the response on google for implement DS record with dnssec http://newsgroups.derkeiler.com/Archive/Comp/comp.protocols.dns.bind/2010-08/msg00054.html thanks for many returns who are welcome this is a relevant on my config of keys ~]# cat /var/named/dsset-fakessh.eu. fakessh.eu. IN DS 47103 3 1 CFEA04C5B91**7F2DF5225E357 fakessh.eu. IN DS 47103 3 2 68096942650C1DD89D5**09F4F1CD348 4D8ED07B ~]# ls -al /var/named/keys total 8 drwxrwxr-x 2 root named 4096 jan 1 15:41 . drwxrwx--- 7 root named 4096 jan 1 15:34 .. lrwxrwxrwx 1 root named 28 jan 1 15:41 dsset-fakessh.eu. - /var/named/dsset-fakessh.eu. lrwxrwxrwx 1 root named 34 jan 1 15:41 dsset-nicolaspichot.fr. - /var/named/dsset-nicolaspichot.fr. lrwxrwxrwx 1 root named 33 jan 1 15:41 dsset-renelacroute.fr. - /var/named/dsset-renelacroute.fr. lrwxrwxrwx 1 root named 29 jan 1 15:41 keyset-fakessh.eu. - /var/named/keyset-fakessh.eu. lrwxrwxrwx 1 root named 35 jan 1 15:41 keyset-nicolaspichot.fr. - /var/named/keyset-nicolaspichot.fr. lrwxrwxrwx 1 root named 34 jan 1 15:41 keyset-renelacroute.fr. - /var/named/keyset-renelacroute.fr. lrwxrwxrwx 1 root named 37 jan 1 15:41 Kfakessh.eu.+003+47103.key - /var/named/Kfakessh.eu.+003+47103.key lrwxrwxrwx 1 root named 41 jan 1 15:41 Kfakessh.eu.+003+47103.private - /var/named/Kfakessh.eu.+003+47103.private lrwxrwxrwx 1 root named 37 jan 1 15:41 Kfakessh.eu.+003+59773.key - /var/named/Kfakessh.eu.+003+59773.key lrwxrwxrwx 1 root named 41 jan 1 15:41 Kfakessh.eu.+003+59773.private - /var/named/Kfakessh.eu.+003+59773.private lrwxrwxrwx 1 root named 43 jan 1 15:41 Knicolaspichot.fr.+003 +02473.key - /var/named/Knicolaspichot.fr.+003+02473.key lrwxrwxrwx 1 root named 47 jan 1 15:41 Knicolaspichot.fr.+003 +02473.private - /var/named/Knicolaspichot.fr.+003+02473.private lrwxrwxrwx 1 root named 43 jan 1 15:41 Knicolaspichot.fr.+003 +07246.key - /var/named/Knicolaspichot.fr.+003+07246.key lrwxrwxrwx 1 root named 47 jan 1 15:41 Knicolaspichot.fr.+003 +07246.private - /var/named/Knicolaspichot.fr.+003+07246.private lrwxrwxrwx 1 root named 42 jan 1 15:41 Krenelacroute.fr.+003 +01827.key - /var/named/Krenelacroute.fr.+003+01827.key lrwxrwxrwx 1 root named 46 jan 1 15:41 Krenelacroute.fr.+003 +01827.private - /var/named/Krenelacroute.fr.+003+01827.private lrwxrwxrwx 1 root named 42 jan 1 15:41 Krenelacroute.fr.+003 +57237.key - /var/named/Krenelacroute.fr.+003+57237.key lrwxrwxrwx 1 root named 46 jan 1 15:41 Krenelacroute.fr.+003 +57237.private - /var/named/Krenelacroute.fr.+003+57237.private -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OT: checking subnet delegation?
create slave zone with ptr and master zone is documented with the manual anonymous Le mardi 04 janvier 2011 à 07:32 -0800, online-reg a écrit : Hi All: I have a /28 that was supposed to be delegated to my NS by my ISP. How can I check that it is correctly delegated? I have the in-addr.arpa zone configured in my NS and it resolves properly when I test it locally, but if I test using a remote service no reverse is found. The subnet is 216.218.227.128/28 it should be delegated to ns.enigmedia.com and ns1.enigmedia.com My zone file is 128-143.227.218.216.in-addr.arpa Not sure if the problem is on my end or if it's not delegated properly? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: checking subnet delegation?
Le mardi 04 janvier 2011 à 08:33 -0800, online-reg a écrit : Hi All: I have a /28 that was supposed to be delegated to my NS by my ISP. How can I check that it is correctly delegated? I have the in-addr.arpa zone configured in my NS and it resolves properly when I test it locally, but if I test using a remote service no reverse is found. The subnet is 216.218.227.128/28 it should be delegated to ns.enigmedia.com and ns1.enigmedia.com It is: Thanks, Skull! My zone file is 128-143.227.218.216.in-addr.arpa Not sure if the problem is on my end or if it's not delegated properly? zarathustra:~ skull$ fast-rdns.pl 216.218.227.128/28 # Stepping through 216.218.227.128/28 every 1 IPs 216.218.227.128 128.128-143.227.218.216.in-addr.arpa. 216.218.227.129 129.128-143.227.218.216.in-addr.arpa. 216.218.227.130 130.128-143.227.218.216.in-addr.arpa. 216.218.227.130 mail.searchpartner.pro. 216.218.227.131 131.128-143.227.218.216.in-addr.arpa. 216.218.227.131 ns1.enigmedia.com. ... # Took 3 seconds to scan 216.218.227.128/28 with stepsize 1 Great, so it looks like it's set up correctly. I was testing it with a few public reverse-dns lookup tools yesterday, (e.g http://postmaster.aol.com/cgi-bin/plugh/rdns.pl) and no PTRs were being found. At the same time, DIG returned the correct info when I queried my NS directly...I have the feeling my upstream's NS was at fault, because everything's working now :( the ptr is same defined in the slave zone with the correct serial ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: auto update signatures dnssec
Le mardi 28 décembre 2010 à 16:42 -0500, Alan Clegg a écrit : On 12/28/2010 4:12 PM, fakessh @ wrote: named-sdb[24511]: /var/named/renelacroute.fr.hosts.jnl: create: permission denied Permissions are wrong on /var/named -- the named process needs to be able to write into it. Dec 28 22:04:02 r13151 named-sdb[24511]: dns_dnssec_findzonekeys2: error reading private key file fakessh.eu/DSA/9552: file not found It seems that the .key and .private files are not in the right place. Fix those two and I bet the rest go away... AlanC what is the right place ? AlanC i look the permissions after correction this seems correct -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
vulnerability of bind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hello bind network I just realized that my version of bind and vulnerable and I'm wondering if by upgrading to version 9.5.2-P4 I would always be vulnerable i use centos 5.5 and use http://www.pramberger.at/peter/services/repository/rhel5/ deposit thanks - -- http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 gpg --keyserver pgp.mit.edu --recv-key 092164A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iD8DBQFNB7dLtXI/OwkhZKcRAhA7AJ9P5y0Lp5KpX3rNmas4rEnNX33FMwCfdQUq Bg9aAabFVLPFYYk8zLeTLUE= =jhLX -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: vulnerability of bind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Le 14.12.2010 19:28, fakessh @ a écrit : hello bind network I just realized that my version of bind and vulnerable and I'm wondering if by upgrading to version 9.5.2-P4 I would always be vulnerable i use centos 5.5 and use http://www.pramberger.at/peter/services/repository/rhel5/ deposit thanks I finally just made the upgrade to bind-9.7.0-5.P2.el5.i386.rpm packages is available on the http://people.redhat.com/atkac/ and I wonder if this package is also vulnerable wait the arrival of centos 5.6 for package bind well to have updated and which supports dnssec thanks -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iD8DBQFNB8LRtXI/OwkhZKcRAshPAJkBdZbA3r6sLea/JHYV8kQnqDS+YQCeMp6Y gudIRWH7EOMB31gbK/cKp9A= =Zl9n -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind autosign - DS distribution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Le 09.12.2010 23:26, Matus UHLAR - fantomas a écrit : In message 20101209220716.ga2...@fantomas.sk, Matus UHLAR - fantomas writes: pardon my ignorance if this has been discussed (haven't notice), but if BIND is configured to automatically sign dynamic zones, does it distribute DS records to parent zones somehow? and if not, what are ways to do that? On 10.12.10 09:15, Mark Andrews wrote: This is IETF dnsext/dnsop fodder. The simple way would be to just record a TSIG key in the child zones config to update the parent zone and use signed UPDATE messages. Unfortunately this has run into layer 9 issues. maybe some alternative of NOTIFY mechanism? However that's apparently why I missed it... I think I'll try with opendnssec. I even don't like the automatic mechanism much because of bulk updates which I do quite often. Is it possible(planned) for bind to sign slave zone? And, are incremental updates possible with dnssec? I'm thinking about hidden master bind loading (un)signed zones and providing axfr/ixfr to our public servers webmin implement the mecanism of resign zones - -- http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 gpg --keyserver pgp.mit.edu --recv-key 092164A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iD8DBQFNAVwJtXI/OwkhZKcRAvrpAJ4oY1jMstShHD4lvNLqsYTHqDTCPACfS6sa JvRPYH48kCyV6W2tBDtgpmw= =UhUW -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind autosign - DS distribution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Le 10.12.2010 00:24, Matus UHLAR - fantomas a écrit : On 09.12.10 23:45, fakessh @ wrote: webmin implement the mecanism of resign zones good to know, but our system fille DNS data using some automatic processes from more sources and I don't think they should use webmin for that ;) look the source for the construct a perl script webmin is build with modules its easy i think sincerely -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iD8DBQFNAXq+tXI/OwkhZKcRAiAsAJ9fOIX3XOyFww+8Q+oJtw2stfZJ6gCdHcoX lrB2atZdwHiHmncD52yFEl8= =mFzL -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
hello bind network problem ipv6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hello bind network hello guru of bind hello everybody i have all a slice of ipv6 address 2001:41D0:2:3Dd6::/64 and I would simply change it with my bind ipv6 please you have to be in your answer or I will not understand Please give concrete examples of config bind otherwise I would not understand very nice for all answers even the direct mailer in my mailbox - -- http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 gpg --keyserver pgp.mit.edu --recv-key 092164A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iD8DBQFM3euftXI/OwkhZKcRAn9XAJ9yhjDo1C+Et/PYsloD7V8qXnD4IQCggMVn Al19iQHuOfqsGYDepFT60QA= =egd8 -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
probleme with dk dkim and dlv for miltiple domain for dkimproxy and bind dnssec
hello all hello bind network I am having problems with my dk and dkim signature of my emails I have successfully made the process of verification of signatures dnssec all my domains are correct and good displays on dlv.isc.org the reason for my problem just the reason that I have updated my postfix and I have recreated a pair of keys with openssl for dkimproxy the reason for my questions one of my domains. in .fr: after validation of signatures by isc dk dkim said OK Other areas domains ( other .fr and other .eu ) after validation of signatures by isc dk dkim said bad that happens I do not understand thanks for advice thanks for help ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: hello bind network probleme with dk dkim and dlv for miltiple domain
On Mon, 31 May 2010 05:25:56 +0200, fakessh fake...@fakessh.eu wrote: hello all reader hello bind network I am having problems with my dk and dkim signature of my emails I have successfully made the process of verification of signatures dnssec all my domains are correct and good displays on dlv.isc.org the reason for my problem just the reason that I have updated my postfix and I have recreated a pair of keys with openssl for dkimproxy the reason for my questions one of my domains. in .fr: before s/before/after validation of signatures by isc dk dkim said OK Other areas domains ( other .fr and other .eu ) before s/before/after validation of signatures by isc dk dkim said bad that happens I do not understand thanks for advice thanks for help ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
hello bind network probleme with dk dkim and dlv for miltiple domain
hello all reader hello bind network I am having problems with my dk and dkim signature of my emails I have successfully made the process of verification of signatures dnssec all my domains are correct and good displays on dlv.isc.org the reason for my problem just the reason that I have updated my postfix and I have recreated a pair of keys with openssl for dkimproxy the reason for my questions one of my domains. in .fr: before validation of signatures by isc dk dkim said OK Other areas domains ( other .fr and other .eu ) before validation of signatures by isc dk dkim said bad that happens I do not understand thanks for advice thanks for help ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC website down
On Mon, 07 Dec 2009 19:07:19 +0100, Chris Hills c...@chaz6.com wrote: It is back now. it is up for me https://www.isc.org/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
I have a question concerning the spf
I use bind, and I have a configuration that seems normal to me on my server Here fakessh.eu. IN MX 10fakessh.eu. fakessh.eu. IN TXT v=spf1 ip4:94.23.60.255 mx mx:fakessh.eu ?all problem is when I'm trying to configure my mail server via check-a...@verifier.port25.com and check-au...@verifier.port25.com spf field is marked as neutral, also follows senderid as neutral how to have the SPF OK, knowing that neutral is not really an answer I have enclosed a return from this location check-au...@verifier.port25.com This message is an automatic response from Port25's authentication verifier service at verifier.port25.com. The service allows email senders to perform a simple check of various sender authentication mechanisms. It is provided free of charge, in the hope that it is useful to the email community. While it is not officially supported, we welcome any feedback you may have at verifier-feedb...@port25.com. Thank you for using the verifier, The Port25 Solutions, Inc. team == Summary of Results == SPF check: neutral DomainKeys check: pass DKIM check: pass Sender-ID check: neutral SpamAssassin check: ham == Details: == HELO hostname: r13151.ovh.net Source IP: 94.23.60.214 mail-from: fake...@fakessh.eu -- SPF check details: -- Result: neutral (SPF-Result: Neutral) ID(s) verified: smtp.mail=fake...@fakessh.eu DNS record(s): fakessh.eu. 38400 IN TXT v=spf1 ip4:94.23.60.255 mx mx:fakessh.eu ?all fakessh.eu. 38400 IN MX 10 fakessh.eu. fakessh.eu. 38400 IN A 87.98.186.232 fakessh.eu. 38400 IN MX 10 fakessh.eu. fakessh.eu. 38400 IN A 87.98.186.232 -- DomainKeys check details: -- Result: pass ID(s) verified: header.from=fake...@fakessh.eu DNS record(s): mail._domainkey.fakessh.eu. 38400 IN TXT k=rsa;t=s;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9fPmEi5XsPtXlqwyWX0sho5YXtCz+YVTS8EbKTFn6POlxMgAj6x/FjMEv2TnRm02AEXMK6we68pWR+SkEufjwQ+7zGpOp2wdLLLNBjatX/bzxQoQmpOuQJzA9hi9NTShZLM4TJVdTCBIp62M0ryHmeW2GiFOrw+8mX5x3nNt7BQIDAQAB -- DKIM check details: -- Result: pass (matches From: fake...@fakessh.eu) ID(s) verified: header.d=fakessh.eu Canonicalized Headers: From:'20'fake...@fakessh.eu'20'fake...@fakessh.eu'0D''0A' To:'20'check-a...@verifier.port25.com,'0D''0A' '20'check-au...@verifier.port25.com'0D''0A' Date:'20'Mon,'20'24'20'Aug'20'2009'20'18:17:05'20'+0200'0D''0A' MIME-Version:'20'1.0'0D''0A' Content-Type:'20'text/plain;'0D''0A' '20''20'charset=us-ascii'0D''0A' Content-Transfer-Encoding:'20'7bit'0D''0A' Message-Id:'20'200908241817.06403.fake...@fakessh.eu'0D''0A' DKIM-Signature:'20'v=1;'20'a=rsa-sha1;'20'c=simple;'20'd=fakessh.eu;'20'h=from:to:date'0D''0A' '09':mime-version:content-type:content-transfer-encoding:message-id;'0D''0A' '09''20's=mail;'20'bh=uoq1oCgLlTqpdDX/iUbLy7J1Wic=;'20'b= Canonicalized Body: '0D''0A' DNS record(s): mail._domainkey.fakessh.eu. 38400 IN TXT k=rsa;t=s;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9fPmEi5XsPtXlqwyWX0sho5YXtCz+YVTS8EbKTFn6POlxMgAj6x/FjMEv2TnRm02AEXMK6we68pWR+SkEufjwQ+7zGpOp2wdLLLNBjatX/bzxQoQmpOuQJzA9hi9NTShZLM4TJVdTCBIp62M0ryHmeW2GiFOrw+8mX5x3nNt7BQIDAQAB NOTE: DKIM checking has been performed based on the latest DKIM specs (RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for older versions. If you are using Port25's PowerMTA, you need to use version 3.2r11 or later to get a compatible version of DKIM. -- Sender-ID check details: -- Result: neutral (SPF-Result: Neutral) ID(s) verified: header.from=fake...@fakessh.eu DNS record(s): fakessh.eu. 38400 IN TXT v=spf1 ip4:94.23.60.255 mx mx:fakessh.eu ?all fakessh.eu. 38400 IN MX 10 fakessh.eu. fakessh.eu. 38400 IN A 87.98.186.232 fakessh.eu. 38400 IN MX 10 fakessh.eu. fakessh.eu. 38400 IN A 87.98.186.232 -- SpamAssassin check details: -- SpamAssassin v3.2.5 (2008-06-10) Result: ham (2.7 points, 5.0 required) pts rule name description -- -- 0.7 SPF_NEUTRAL SPF: sender does not match SPF record (neutral) -2.6
