Re: How to validate DNSSEC signed record with dig?
Thank you very much for your help i'm going to try it wright now. 2012/2/8 Spain, Dr. Jeffry A. > William: In my tests of DNSSEC, I have used 'auto-dnsssec maintain;' > rather than explicitly signing the zone with dnssec-signzone. I believe I > recall that you are using bind 9.8, so this should work for you as well. > Here's something you can try: > > In your bind configuration use the following zone stanza: > zone "toto.com" { >type master; >file "/var/lib/bind/toto.com/toto.com.db"; >key-directory "/var/lib/bind/toto.com"; >auto-dnssec maintain; > }; > > You will probably want to add some access control to this as well. > > Now in the directory /var/lib/bind/toto.com (or the directory of your > choice as long as it is specified in the configuration above), place all of > your *.key and *.private files. Also place your unsigned zone file > toto.com.db with contents as follows (Omit the DNSSEC info you currently > have at the bottom): > > $ORIGIN . > $TTL 17200 ; 4 hours 46 minutes 40 seconds > toto.com. IN SOA ns10.boom.fr. postmaster.boom.com. ( >2012020802 ; serial >216000 ; refresh (2 days 12 hours) >3600 ; retry (1 hour) >360; expire (5 weeks 6 days 16 > hours) >172800 ; minimum (2 days) >) >NS ns.boom.fr. >NS ns2.boom.fr. >A 217.128.32.85 > $ORIGIN toto.com. > * A 217.128.32.85 > > If you are running bind under a UID other than root, make sure all the > files are readable, and that the zone file is writable, by that UID. > Restart the bind service, and bind will sign your zone using the keys you > have provided as long as their metadata is timed appropriately, i.e. > Publish and Activate dates are in the past, and Inactive and Delete dates > in the future. To see the metadata, execute 'dnssec-settime -p all > your_key_file_name.private'. If you need to change the timing metadata, use > dnssec-settime again. See the ARM for details. Caution: dnssec-setime will > 'chmod 600' your private key files. > > I have been successful with this approach, and hope it works well for you > also. Jeff. > > Jeffry A. Spain > Network Administrator > Cincinnati Country Day School > > -- Cordialement. Thierry *SAMEN.* ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: How to validate DNSSEC signed record with dig?
William: In my tests of DNSSEC, I have used 'auto-dnsssec maintain;' rather than explicitly signing the zone with dnssec-signzone. I believe I recall that you are using bind 9.8, so this should work for you as well. Here's something you can try: In your bind configuration use the following zone stanza: zone "toto.com" { type master; file "/var/lib/bind/toto.com/toto.com.db"; key-directory "/var/lib/bind/toto.com"; auto-dnssec maintain; }; You will probably want to add some access control to this as well. Now in the directory /var/lib/bind/toto.com (or the directory of your choice as long as it is specified in the configuration above), place all of your *.key and *.private files. Also place your unsigned zone file toto.com.db with contents as follows (Omit the DNSSEC info you currently have at the bottom): $ORIGIN . $TTL 17200 ; 4 hours 46 minutes 40 seconds toto.com. IN SOA ns10.boom.fr. postmaster.boom.com. ( 2012020802 ; serial 216000 ; refresh (2 days 12 hours) 3600 ; retry (1 hour) 360; expire (5 weeks 6 days 16 hours) 172800 ; minimum (2 days) ) NS ns.boom.fr. NS ns2.boom.fr. A 217.128.32.85 $ORIGIN toto.com. * A 217.128.32.85 If you are running bind under a UID other than root, make sure all the files are readable, and that the zone file is writable, by that UID. Restart the bind service, and bind will sign your zone using the keys you have provided as long as their metadata is timed appropriately, i.e. Publish and Activate dates are in the past, and Inactive and Delete dates in the future. To see the metadata, execute 'dnssec-settime -p all your_key_file_name.private'. If you need to change the timing metadata, use dnssec-settime again. See the ARM for details. Caution: dnssec-setime will 'chmod 600' your private key files. I have been successful with this approach, and hope it works well for you also. Jeff. Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to validate DNSSEC signed record with dig?
William Thierry SAMEN wrote: > > dnssec-signzone: error: dns_master_load: ../etc/toto.com:12: toto.com: not at > top of zone > dnssec-signzone: fatal: failed loading zone from '../etc/toto.com': not at > top of zone This is because your zone uses an include directive to import the key files, and keys were generated incorrectly: they have file names where the zone name should be. Tony. -- f.anthony.n.finchhttp://dotat.at/ Bailey: Southerly or southwesterly 4 or 5, increasing 6 to gale 8 for a time in north and west. Very rough or high. Showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to validate DNSSEC signed record with dig?
Absolutely Tony that was a key file which has been generated by dnssec-keygen command. My zone file is so simple and its look like that i have checked it before with the named-checkzone and all is good in my file zone. I changed option -o by the option -o only and now i had this error: dnssec-signzone: error: dns_master_load: ../etc/toto.com:12: toto.com: not at top of zone dnssec-signzone: fatal: failed loading zone from '../etc/toto.com': not at top of zone at the line 12 of my file zone i haven't seen any mistake. here is my zone file: $ORIGIN . $TTL 17200 ; 4 hours 46 minutes 40 seconds toto.com. IN SOA ns10.boom.fr. postmaster.boom.com. ( 2012020802 ; serial 216000 ; refresh (2 days 12 hours) 3600 ; retry (1 hour) 360; expire (5 weeks 6 days 16 hours) 172800 ; minimum (2 days) ) NS ns.boom.fr. NS ns2.boom.fr. A 217.128.32.85 $ORIGIN toto.com. * A 217.128.32.85 ;DNSsec keys starts here $include /exec/applis/thierry/DNS/sbin/K%2Fexec%2Fapplis%2Fthierry%2Fdns%2Fetc%2Ftoto.com.+005+12762.key $include /exec/applis/thierry/DNS/sbin/K%2Fexec%2Fapplis%2Fthierry%2Fdns%2Fetc%2Ftoto.com.+005+60826.key Thanks 2012/2/8 Tony Finch > William Thierry SAMEN wrote: > > > > My file zone: > > Er this looks like a key file, not a zone file. The key has been generated > incorrectly: it has a file name where the zone name should be. > > > ; This is a zone-signing key, keyid 12762, for *../etc/toto.com.* > > ; Created: 20120207101131 (Tue Feb 7 11:11:31 2012) > > ; Publish: 20120207101131 (Tue Feb 7 11:11:31 2012) > > ; Activate: 20120207101131 (Tue Feb 7 11:11:31 2012) > > *../etc/toto.com*. IN DNSKEY 256 3 5 > AwEAAbpc1rBsrB3XrOlUAE1Xxfyef9POsH8jypLVImuBPEGgE > > Tony. > -- > f.anthony.n.finchhttp://dotat.at/ > Viking, North Utsire: Southerly 5 to 7, occasionally gale 8 in Viking. > Rough, > becoming very rough in Viking. Rain later. Good, becoming moderate later. > -- Cordialement. Thierry *SAMEN.* ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to validate DNSSEC signed record with dig?
William Thierry SAMEN wrote: > > My file zone: Er this looks like a key file, not a zone file. The key has been generated incorrectly: it has a file name where the zone name should be. > ; This is a zone-signing key, keyid 12762, for *../etc/toto.com.* > ; Created: 20120207101131 (Tue Feb 7 11:11:31 2012) > ; Publish: 20120207101131 (Tue Feb 7 11:11:31 2012) > ; Activate: 20120207101131 (Tue Feb 7 11:11:31 2012) > *../etc/toto.com*. IN DNSKEY 256 3 5 > AwEAAbpc1rBsrB3XrOlUAE1Xxfyef9POsH8jypLVImuBPEGgE Tony. -- f.anthony.n.finchhttp://dotat.at/ Viking, North Utsire: Southerly 5 to 7, occasionally gale 8 in Viking. Rough, becoming very rough in Viking. Rain later. Good, becoming moderate later. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to validate DNSSEC signed record with dig?
Hi, thanks for the quick answer, but my problem is still not resolved, i check all your solutions but nothing. I'll show you my file zone which i wanted to sign and the command i used. My file zone: ; This is a zone-signing key, keyid 12762, for *../etc/toto.com.* ; Created: 20120207101131 (Tue Feb 7 11:11:31 2012) ; Publish: 20120207101131 (Tue Feb 7 11:11:31 2012) ; Activate: 20120207101131 (Tue Feb 7 11:11:31 2012) *../etc/toto.com*. IN DNSKEY 256 3 5 AwEAAbpc1rBsrB3XrOlUAE1Xxfyef9POsH8jypLVImuBPEGgE Command line that i used for sign this zone ./dnssec-signzone -p -t -g -k KSK.key -o toto.com ../etc/toto.com ZSK.key Have you seen some mistake? Thanks for your help. 2012/2/7 Spain, Dr. Jeffry A. > > dnssec-signzone: fatal: key myKSK.key not at origin > > What are the contents of myKSK.key? > The format is "mydomain.com. IN DNSKEY ..." where mydomain.com is the > domain origin. > > Jeffry A. Spain > Network Administrator > Cincinnati Country Day School > > -- Cordialement. Thierry *SAMEN.* ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: How to validate DNSSEC signed record with dig?
> dnssec-signzone: fatal: key myKSK.key not at origin What are the contents of myKSK.key? The format is "mydomain.com. IN DNSKEY ..." where mydomain.com is the domain origin. Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to validate DNSSEC signed record with dig?
William Thierry SAMEN wrote: > > I'm triying to sign a zone on Bind 9.8-P1 but i have this message: > > *dnssec-signzone: fatal: key myKSK.key not at origin* It means the zone name in the key is not the same as the zone you are signing. Tony. -- f.anthony.n.finchhttp://dotat.at/ Rockall, Malin, Hebrides, Bailey: Southerly 6 to gale 8, occasionally severe gale 9 except in Malin, veering northwesterly 4 or 5 for a time except in Malin and east Hebrides. Very rough, occasionally high except in Malin. Occasional rain. Moderate or poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to validate DNSSEC signed record with dig?
Hi everybody, sorry for my post i'm not read to bring a light to the 1st problem but to find help. I'm triying to sign a zone on Bind 9.8-P1 but i have this message: *dnssec-signzone: fatal: key myKSK.key not at origin* I just want help if someone has been confronted with this kind of message i'll be so happy to have a few idea to debugg my problem Thx. 2012/2/6 Tony Finch > Spain, Dr. Jeffry A. wrote: > > > > Checking your two name servers, 8.8.8.8 (google-public-dns-a.google.com) > > doesn't appear to offer DNSSEC validation, and 78.46.213.227 > > (rms.coozila.com) doesn't respond to my query at all. > > It's worse than that. Google Public DNS doesn't support DNSSEC at all, so > you cannot use it to query DNSSEC records. DNSSEC requires resolvers to > handle RRSIG and DS records in special ways even if they are not > validating the signatures. > > Tony. > -- > f.anthony.n.finchhttp://dotat.at/ > North Utsire, South Utsire: Cyclonic mainly southerly or southeasterly, 5 > to > 7, occasionally gale 8 in east at first. Rough. Rain or snow. Moderate or > poor. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Cordialement. Thierry *SAMEN.* ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: How to validate DNSSEC signed record with dig?
Spain, Dr. Jeffry A. wrote: > > Checking your two name servers, 8.8.8.8 (google-public-dns-a.google.com) > doesn't appear to offer DNSSEC validation, and 78.46.213.227 > (rms.coozila.com) doesn't respond to my query at all. It's worse than that. Google Public DNS doesn't support DNSSEC at all, so you cannot use it to query DNSSEC records. DNSSEC requires resolvers to handle RRSIG and DS records in special ways even if they are not validating the signatures. Tony. -- f.anthony.n.finchhttp://dotat.at/ North Utsire, South Utsire: Cyclonic mainly southerly or southeasterly, 5 to 7, occasionally gale 8 in east at first. Rough. Rain or snow. Moderate or poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: How to validate DNSSEC signed record with dig?
Hello, To be precise : bind.odvr.dns-oarc.net. validates but seems to ignore expired (but otherwise valid) signatures. unbound.odvr.dns-oarc.net. validates without ignoring expired signatures. Kind regards, Marc Lampo Security Officer EURid vzw/asbl -Original Message- From: Spain, Dr. Jeffry A. [mailto:spa...@countryday.net] Sent: 05 February 2012 09:35 PM To: Nikolay Shaplov Cc: bind-users@lists.isc.org Subject: RE: How to validate DNSSEC signed record with dig? > I am trying to validate DNSSEC signature on ns record using dig. > Domain nox.su is properly signed using DNSSEC. > I am trying to validate it as dicribed here: > http://bryars.eu/2010/08/validating-and-exploring-dnssec-with-dig/ > $ dig +nocomments +nostats +nocmd +noquestion -t dnskey . > trusted-key.key $ dig +topdown +sigchase nox.su > but it gives me ";; DSset is missing to continue validation: FAILED" error while processing the whole hierarchy of zones. > $ cat /etc/resolv.conf > # Generated by NetworkManager > domain router > search router > nameserver 8.8.8.8 > nameserver 78.46.213.227 Checking your two name servers, 8.8.8.8 (google-public-dns-a.google.com) doesn't appear to offer DNSSEC validation, and 78.46.213.227 (rms.coozila.com) doesn't respond to my query at all. A known-good publicly accessible DNSEC-validating recursive resolver is available at bind.odvr.dns-oarc.net. If I run "dig @bind.odvr.dns-oarc.net nox.su +dnssec", I get an AD (authenticated data) flag returned for the A record with IPv4 address 50.16.193.159. This is a prima facie indication that DNSSEC is working for nox.su. The "+topdown" option isn't available to me (bind 9.9.0rc2 version of dig). Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: How to validate DNSSEC signed record with dig?
> I am trying to validate DNSSEC signature on ns record using dig. > Domain nox.su is properly signed using DNSSEC. > I am trying to validate it as dicribed here: > http://bryars.eu/2010/08/validating-and-exploring-dnssec-with-dig/ > $ dig +nocomments +nostats +nocmd +noquestion -t dnskey . > trusted-key.key $ > dig +topdown +sigchase nox.su > but it gives me ";; DSset is missing to continue validation: FAILED" error > while processing the whole hierarchy of zones. > $ cat /etc/resolv.conf > # Generated by NetworkManager > domain router > search router > nameserver 8.8.8.8 > nameserver 78.46.213.227 Checking your two name servers, 8.8.8.8 (google-public-dns-a.google.com) doesn't appear to offer DNSSEC validation, and 78.46.213.227 (rms.coozila.com) doesn't respond to my query at all. A known-good publicly accessible DNSEC-validating recursive resolver is available at bind.odvr.dns-oarc.net. If I run "dig @bind.odvr.dns-oarc.net nox.su +dnssec", I get an AD (authenticated data) flag returned for the A record with IPv4 address 50.16.193.159. This is a prima facie indication that DNSSEC is working for nox.su. The "+topdown" option isn't available to me (bind 9.9.0rc2 version of dig). Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users