DNSSEC / DLV for 2001:8b0:151:1:e2cb:4eff:fe26:6481
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm DNSSEC enabling the .ip6.arpa zone for my IPv6 allocation and registering it with dlv.isc.org. Using bind-9.7.0-p2 dnssec tools. Everything seems to be working well, but when I test using the Sandia Labs dnsviz.net tool I get inconsistent results. My mail, etc. server on 2001:8b0:151:1:e2cb:4eff:fe26:6481 appears as 'bogus' http://dnsviz.net/d/1.8.4.6.6.2.e.f.f.f.e.4.b.c.2.e.1.0.0.0.1.5.1.0.0.b.8.0.1.0.0.2.ip6.arpa/dnssec/ Yet my personal laptop on 2001:8b0:151:1:fa1e:dfff:feda:c0bb is all good: http://dnsviz.net/d/b.b.0.c.a.d.e.f.f.f.f.d.e.1.a.f.1.0.0.0.1.5.1.0.0.b.8.0.1.0.0.2.ip6.arpa/dnssec/ What am I doing wrong? Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwGWkEACgkQ8Mjk52CukIyFlwCgiaFHI4yzaZBNreBCo3RUCh93 0pUAn0nzjDwmNv+c4OKNoQmHD1ueQS7v =Ncbf -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC / DLV for 2001:8b0:151:1:e2cb:4eff:fe26:6481
On Jun 2 2010, Matthew Seaman wrote: I'm DNSSEC enabling the .ip6.arpa zone for my IPv6 allocation and registering it with dlv.isc.org. Using bind-9.7.0-p2 dnssec tools. Everything seems to be working well, but when I test using the Sandia Labs dnsviz.net tool I get inconsistent results. My mail, etc. server on 2001:8b0:151:1:e2cb:4eff:fe26:6481 appears as 'bogus' http://dnsviz.net/d/1.8.4.6.6.2.e.f.f.f.e.4.b.c.2.e.1.0.0.0.1.5.1.0.0.b.8.0.1.0.0.2.ip6.arpa/dnssec/ Yet my personal laptop on 2001:8b0:151:1:fa1e:dfff:feda:c0bb is all good: http://dnsviz.net/d/b.b.0.c.a.d.e.f.f.f.f.d.e.1.a.f.1.0.0.0.1.5.1.0.0.b.8.0.1.0.0.2.ip6.arpa/dnssec/ What am I doing wrong? Nothing that I can see. Maybe dnsviz can't cope with multiple PTR records in an RRset, as your first case has? (On the other hand it handles multiple A records in forward zones OK.) -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC / DLV for 2001:8b0:151:1:e2cb:4eff:fe26:6481
On Wed, Jun 2, 2010 at 8:40 AM, Paul Vixie vi...@isc.org wrote: Chris Thompson c...@cam.ac.uk writes: Nothing that I can see. Maybe dnsviz can't cope with multiple PTR records in an RRset, as your first case has? (On the other hand it handles multiple A records in forward zones OK.) to be fair, multiple PTR RRs is something we added in BIND gethostbyaddr() in more or less direct contravention to RFC 1034. if dnsviz doesn't handle it (and i don't know if it doesn't) then it's not dnsviz's fault at all since the DNS RFC's say that there will only be one PTR RR at an in-addr. Not to take this off topic, but RFC 2181 (sec 10.2) clarifies that a PTR RRset *may* have multiple RRs, but each must point to a canonical name, as opposed to an alias. That being said, DNSViz is intended to consider multiple RRs in the PTR RRset, but I'm still trying to track down the issue that is causing it to report a bogus signature. I'll report back when I have an answer. Regards, Casey ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC / DLV for 2001:8b0:151:1:e2cb:4eff:fe26:6481
On Wed, Jun 2, 2010 at 7:44 AM, Chris Thompson c...@cam.ac.uk wrote: On Jun 2 2010, Matthew Seaman wrote: I'm DNSSEC enabling the .ip6.arpa zone for my IPv6 allocation and registering it with dlv.isc.org. Using bind-9.7.0-p2 dnssec tools. Everything seems to be working well, but when I test using the Sandia Labs dnsviz.net tool I get inconsistent results. My mail, etc. server on 2001:8b0:151:1:e2cb:4eff:fe26:6481 appears as 'bogus' http://dnsviz.net/d/1.8.4.6.6.2.e.f.f.f.e.4.b.c.2.e.1.0.0.0.1.5.1.0.0.b.8.0.1.0.0.2.ip6.arpa/dnssec/ Yet my personal laptop on 2001:8b0:151:1:fa1e:dfff:feda:c0bb is all good: http://dnsviz.net/d/b.b.0.c.a.d.e.f.f.f.f.d.e.1.a.f.1.0.0.0.1.5.1.0.0.b.8.0.1.0.0.2.ip6.arpa/dnssec/ What am I doing wrong? Nothing that I can see. Maybe dnsviz can't cope with multiple PTR records in an RRset, as your first case has? (On the other hand it handles multiple A records in forward zones OK.) This has been fixed. The problem had to do with establishing a canonical ordering of RRs within an RRset for the purposes of verifying an RRSIG. dnspython's default comparison operators don't follow canonical ordering from RFC 4034, so I had to make some provisions to order properly. This didn't affect A RRsets with multiple RRs because the order of A-type rdata was the same using both orderings. Thanks for bringing this to my attention. Regards, Casey ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC / DLV for 2001:8b0:151:1:e2cb:4eff:fe26:6481
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/06/2010 18:49:44, Casey Deccio wrote: This has been fixed. The problem had to do with establishing a canonical ordering of RRs within an RRset for the purposes of verifying an RRSIG. dnspython's default comparison operators don't follow canonical ordering from RFC 4034, so I had to make some provisions to order properly. This didn't affect A RRsets with multiple RRs because the order of A-type rdata was the same using both orderings. Thanks for bringing this to my attention. Excellent. Thank you very much indeed -- I'm glad to have been of service. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwGoNIACgkQ8Mjk52CukIzVVwCfTOVmg0meReYFd389TP1D+D96 25EAnRFSXO7JIcaGic1ME49upIkPq+lR =VZlY -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec dlv
I heard that root zone will be signed (or is already signed), so what changes would be required with respect to the current additions of adding dlv.isc.org as trust anchor and its associated trusted key ? Do we need to keep the isc dlv ? or add a new key for the root ? Thanks -dani On Thu, May 20, 2010 at 10:07 PM, itservices88 itservice...@gmail.comwrote: I missed the trusted key .. Thanks Here is the other output # dig +cd +dnssec dlv.isc.org dnskey @localhost ; DiG 9.6.2-P1-RedHat-9.6.2-3.P1.fc12 +cd +dnssec dlv.isc.orgdnskey @localhost ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 63788 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dlv.isc.org. IN DNSKEY ;; ANSWER SECTION: dlv.isc.org.6752IN DNSKEY 256 3 5 BEOlYGw53D+f01yCL5JsP0SB6EjYrnd0JYRBooAaGPT+Q0kpiN+7 GviFh+nIazoB8e2Yv7mupgqkmIjObdcbGstYpUltdECdNpNmBvASKB9S BdtGeRvXXpORi3Qyxb9kHGG7SpzyYbc+KDVKnzYHB94pvqu3ZZpPFPBF tCibp/mkhw== dlv.isc.org.6752IN DNSKEY 257 3 5 BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh dlv.isc.org.6752IN RRSIG DNSKEY 5 3 7200 20100620033002 20100521033002 19297 dlv.isc.org. eEHtGjgatqIgxeCCcXJrZpaS5KzlWHbL/uNL9oqd/KnQwyVsqdZKhVR2 U9xcGmtu0GAUTdogSQvhzK92y1qF9FuLlmlBDc9pvLBCf5dc7kIJ61ey vOZi18iZIv9+MyoE2ex/KfAHdHZUp3TUzgen7iGxba/yt9/dcJE6iFhz Kk2FSxxG7PFgHRZZJl9aVxuPlNjCnm1gwnuvdKame73tZrlzAK3GBbTo IEE2QSKs47glxhF5/Xka4UqYZ7wSvuCPG/xFn67FXVOHFQvZjNBxWX3V H1jmoJhyLmpCI4JdwGBr7jwPDURDsL2iAUkfpPIuparlq6DwII3lzrqC gA1M6w== dlv.isc.org.6752IN RRSIG DNSKEY 5 3 7200 20100620033002 20100521033002 64263 dlv.isc.org. TbUCfqArddr/0K7NVhL+UNQuM2dDremcvzLbWz6odZzIwdC/MqHzzAj6 rbgHT+uwGZ6t+4ec5Hts9VWh+BEyx5pi6lnhKJjwcFwrXiBauppce11P uWG3AiJZeiYoCWu2E4CqhpW96ZrycRQYehWfsmDsR1BCglVytxJwYUhT WMg= ;; Query time: 4 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu May 20 21:52:59 2010 ;; MSG SIZE rcvd: 936 On Thu, May 20, 2010 at 6:45 PM, Mark Andrews ma...@isc.org wrote: In message aanlktikyznh9_cgpb2efye_-yuu4n3bs75fwzp-jz...@mail.gmail.com, itse rvices88 writes: Hi, Whenever i enable: dnssec-lookaside . trust-anchor DLV.ISC.ORG http://dlv.isc.org/; in the named.conf, restart bind, the dns resolution stops. One the same FC12 machine, dig using an outside dns server has no issues resolving with +dnssec option. I am using bind 9.6.2 that came with FC12. Any thoughts ? -dani Have you added the trusted-keys clause for dlv.isc.org? trusted-keys { dlv.isc.org. 257 3 5 BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh; }; Does dig +cd +dnssec dlv.isc.org dnskey return RRSIGS. e.g. ; DiG 9.3.6-P1 +cd +dnssec dlv.isc.org dnskey ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 14675 ;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dlv.isc.org. IN DNSKEY ;; ANSWER SECTION: dlv.isc.org.2077IN DNSKEY 256 3 5 BEOlYGw53D+f01yCL5JsP0SB6EjYrnd0JYRBooAaGPT+Q0kpiN+7 GviFh+nIazoB8e2Yv7mupgqkmIjObdcbGstYpUltdECdNpNmBvASKB9S BdtGeRvXXpORi3Qyxb9kHGG7SpzyYbc+KDVKnzYHB94pvqu3ZZpPFPBF tCibp/mkhw== dlv.isc.org.2077IN DNSKEY 257 3 5 BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh dlv.isc.org.2077IN RRSIG DNSKEY 5 3 7200 20100619164502 20100520164502 19297 dlv.isc.org. OKURcBkX5iiDC1q87HsSs2xDcDrMm5aPAlYHkPqkHCy7UyTOnCr6cwwN W42mdG4nmpURR4aDGiPlfc1lomE5kA5wOcXASgfMO8eQoOOIyZcBngOb WaE0KY+e/xU37kf7Ms7g6UxTnL+hcjbYgZf2rwN7J1RXf0Z5PfyyASXi ybf3iYGs7GusXgLZ0ZEWQh0zglo2ym56CVt2TbIljJFB0lzAvezos36R SWAYfLLsfGp3v9WfG7e3D8nLvbq5D7+K3IciELr73TVly924uwfAQeEa df40dVR6qyQ++/HWaGr1wOIGLQBRzTX8gKK9RlmcHHcIZo0EFPJo0mf7 Abqpxw==
Re: dnssec dlv
On May 21 2010, itservices88 wrote: I heard that root zone will be signed (or is already signed), It's in DURZ mode. Read all about it at http://www.root-dnssec.org/ so what changes would be required with respect to the current additions of adding dlv.isc.org as trust anchor and its associated trusted key ? Do we need to keep the isc dlv ? or add a new key for the root ? I don't know whether ISC are planning to add a DLV record for the root to the isc.dlv.org zone. (When I asked on another list whether that would work, Mark Andrews told me of course it would.) If not, then it will certainly be desirable to add a trust anchor for the root zone, as (for example) the IANA ITAR will stop being imported into dlv.isc.org at some point, as it will cease to exist. But large parts of the DNS tree will remain disconnected from the root vis-a-vis DNSSEC, for quite a while, so you should plan to keep using dlv.isc.org as well. (I am assuming you are not opposed to DLV in principle if you are already using it...] I would plan to review the situation in mid-2011 after com has been signed for a decent length of time. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec dlv
Thanks for details. -dani On Fri, May 21, 2010 at 9:04 AM, Chris Thompson c...@cam.ac.uk wrote: On May 21 2010, itservices88 wrote: I heard that root zone will be signed (or is already signed), It's in DURZ mode. Read all about it at http://www.root-dnssec.org/ so what changes would be required with respect to the current additions of adding dlv.isc.org as trust anchor and its associated trusted key ? Do we need to keep the isc dlv ? or add a new key for the root ? I don't know whether ISC are planning to add a DLV record for the root to the isc.dlv.org zone. (When I asked on another list whether that would work, Mark Andrews told me of course it would.) If not, then it will certainly be desirable to add a trust anchor for the root zone, as (for example) the IANA ITAR will stop being imported into dlv.isc.org at some point, as it will cease to exist. But large parts of the DNS tree will remain disconnected from the root vis-a-vis DNSSEC, for quite a while, so you should plan to keep using dlv.isc.org as well. (I am assuming you are not opposed to DLV in principle if you are already using it...] I would plan to review the situation in mid-2011 after com has been signed for a decent length of time. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec dlv
In message aanlktik1cd0xkearue2brdkxpnb6cvyz4zn-qvuv9...@mail.gmail.com, itse rvices88 writes: I heard that root zone will be signed (or is already signed), so what changes would be required with respect to the current additions of adding dlv.isc.org as trust anchor and its associated trusted key ? Do we need to keep the isc dlv ? or add a new key for the root ? Thanks -dani When the signed root goes operational you should add a managed trusted key for it as I believe that the root will be following the rules in RFC 5011. Managed trusted keys were introduced in BIND 9.7.0. You will still need to use DLV for the parts of the tree which are not connected to the root. The root's trust anchors will be added to DLV so there is no need to rush to do this. As far as DLV is concerned the root is just another zone. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dnssec dlv
Hi, Whenever i enable: dnssec-lookaside . trust-anchor DLV.ISC.ORG; in the named.conf, restart bind, the dns resolution stops. One the same FC12 machine, dig using an outside dns server has no issues resolving with +dnssec option. I am using bind 9.6.2 that came with FC12. Any thoughts ? -dani ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec dlv
In message aanlktikyznh9_cgpb2efye_-yuu4n3bs75fwzp-jz...@mail.gmail.com, itse rvices88 writes: Hi, Whenever i enable: dnssec-lookaside . trust-anchor DLV.ISC.ORG; in the named.conf, restart bind, the dns resolution stops. One the same FC12 machine, dig using an outside dns server has no issues resolving with +dnssec option. I am using bind 9.6.2 that came with FC12. Any thoughts ? -dani Have you added the trusted-keys clause for dlv.isc.org? trusted-keys { dlv.isc.org. 257 3 5 BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh; }; Does dig +cd +dnssec dlv.isc.org dnskey return RRSIGS. e.g. ; DiG 9.3.6-P1 +cd +dnssec dlv.isc.org dnskey ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 14675 ;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dlv.isc.org. IN DNSKEY ;; ANSWER SECTION: dlv.isc.org.2077IN DNSKEY 256 3 5 BEOlYGw53D+f01yCL5JsP0SB6EjYrnd0JYRBooAaGPT+Q0kpiN+7 GviFh+nIazoB8e2Yv7mupgqkmIjObdcbGstYpUltdECdNpNmBvASKB9S BdtGeRvXXpORi3Qyxb9kHGG7SpzyYbc+KDVKnzYHB94pvqu3ZZpPFPBF tCibp/mkhw== dlv.isc.org.2077IN DNSKEY 257 3 5 BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh dlv.isc.org.2077IN RRSIG DNSKEY 5 3 7200 20100619164502 20100520164502 19297 dlv.isc.org. OKURcBkX5iiDC1q87HsSs2xDcDrMm5aPAlYHkPqkHCy7UyTOnCr6cwwN W42mdG4nmpURR4aDGiPlfc1lomE5kA5wOcXASgfMO8eQoOOIyZcBngOb WaE0KY+e/xU37kf7Ms7g6UxTnL+hcjbYgZf2rwN7J1RXf0Z5PfyyASXi ybf3iYGs7GusXgLZ0ZEWQh0zglo2ym56CVt2TbIljJFB0lzAvezos36R SWAYfLLsfGp3v9WfG7e3D8nLvbq5D7+K3IciELr73TVly924uwfAQeEa df40dVR6qyQ++/HWaGr1wOIGLQBRzTX8gKK9RlmcHHcIZo0EFPJo0mf7 Abqpxw== dlv.isc.org.2077IN RRSIG DNSKEY 5 3 7200 20100619164502 20100520164502 64263 dlv.isc.org. LZd6TanU48C2BNKZhuj4vMyquNE9mnbUmk9Zy+NbIKPmJ+h2uLq2EonO GfUkxku7ZPky9DnJ3O05gwcEbVrFDjqtK+hcweu7x+wu0OaXJNsVRJ69 wQpQEkVNgoPNYsHQ6ru65ZwmOm8yRvr/1lXhbJId6j0Y2QZVXvCzVGuA 58Q= ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri May 21 11:45:00 2010 ;; MSG SIZE rcvd: 936 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec dlv
I missed the trusted key .. Thanks Here is the other output # dig +cd +dnssec dlv.isc.org dnskey @localhost ; DiG 9.6.2-P1-RedHat-9.6.2-3.P1.fc12 +cd +dnssec dlv.isc.orgdnskey @localhost ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 63788 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dlv.isc.org. IN DNSKEY ;; ANSWER SECTION: dlv.isc.org.6752IN DNSKEY 256 3 5 BEOlYGw53D+f01yCL5JsP0SB6EjYrnd0JYRBooAaGPT+Q0kpiN+7 GviFh+nIazoB8e2Yv7mupgqkmIjObdcbGstYpUltdECdNpNmBvASKB9S BdtGeRvXXpORi3Qyxb9kHGG7SpzyYbc+KDVKnzYHB94pvqu3ZZpPFPBF tCibp/mkhw== dlv.isc.org.6752IN DNSKEY 257 3 5 BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh dlv.isc.org.6752IN RRSIG DNSKEY 5 3 7200 20100620033002 20100521033002 19297 dlv.isc.org. eEHtGjgatqIgxeCCcXJrZpaS5KzlWHbL/uNL9oqd/KnQwyVsqdZKhVR2 U9xcGmtu0GAUTdogSQvhzK92y1qF9FuLlmlBDc9pvLBCf5dc7kIJ61ey vOZi18iZIv9+MyoE2ex/KfAHdHZUp3TUzgen7iGxba/yt9/dcJE6iFhz Kk2FSxxG7PFgHRZZJl9aVxuPlNjCnm1gwnuvdKame73tZrlzAK3GBbTo IEE2QSKs47glxhF5/Xka4UqYZ7wSvuCPG/xFn67FXVOHFQvZjNBxWX3V H1jmoJhyLmpCI4JdwGBr7jwPDURDsL2iAUkfpPIuparlq6DwII3lzrqC gA1M6w== dlv.isc.org.6752IN RRSIG DNSKEY 5 3 7200 20100620033002 20100521033002 64263 dlv.isc.org. TbUCfqArddr/0K7NVhL+UNQuM2dDremcvzLbWz6odZzIwdC/MqHzzAj6 rbgHT+uwGZ6t+4ec5Hts9VWh+BEyx5pi6lnhKJjwcFwrXiBauppce11P uWG3AiJZeiYoCWu2E4CqhpW96ZrycRQYehWfsmDsR1BCglVytxJwYUhT WMg= ;; Query time: 4 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu May 20 21:52:59 2010 ;; MSG SIZE rcvd: 936 On Thu, May 20, 2010 at 6:45 PM, Mark Andrews ma...@isc.org wrote: In message aanlktikyznh9_cgpb2efye_-yuu4n3bs75fwzp-jz...@mail.gmail.com, itse rvices88 writes: Hi, Whenever i enable: dnssec-lookaside . trust-anchor DLV.ISC.ORG http://dlv.isc.org/; in the named.conf, restart bind, the dns resolution stops. One the same FC12 machine, dig using an outside dns server has no issues resolving with +dnssec option. I am using bind 9.6.2 that came with FC12. Any thoughts ? -dani Have you added the trusted-keys clause for dlv.isc.org? trusted-keys { dlv.isc.org. 257 3 5 BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh; }; Does dig +cd +dnssec dlv.isc.org dnskey return RRSIGS. e.g. ; DiG 9.3.6-P1 +cd +dnssec dlv.isc.org dnskey ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 14675 ;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dlv.isc.org. IN DNSKEY ;; ANSWER SECTION: dlv.isc.org.2077IN DNSKEY 256 3 5 BEOlYGw53D+f01yCL5JsP0SB6EjYrnd0JYRBooAaGPT+Q0kpiN+7 GviFh+nIazoB8e2Yv7mupgqkmIjObdcbGstYpUltdECdNpNmBvASKB9S BdtGeRvXXpORi3Qyxb9kHGG7SpzyYbc+KDVKnzYHB94pvqu3ZZpPFPBF tCibp/mkhw== dlv.isc.org.2077IN DNSKEY 257 3 5 BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh dlv.isc.org.2077IN RRSIG DNSKEY 5 3 7200 20100619164502 20100520164502 19297 dlv.isc.org. OKURcBkX5iiDC1q87HsSs2xDcDrMm5aPAlYHkPqkHCy7UyTOnCr6cwwN W42mdG4nmpURR4aDGiPlfc1lomE5kA5wOcXASgfMO8eQoOOIyZcBngOb WaE0KY+e/xU37kf7Ms7g6UxTnL+hcjbYgZf2rwN7J1RXf0Z5PfyyASXi ybf3iYGs7GusXgLZ0ZEWQh0zglo2ym56CVt2TbIljJFB0lzAvezos36R SWAYfLLsfGp3v9WfG7e3D8nLvbq5D7+K3IciELr73TVly924uwfAQeEa df40dVR6qyQ++/HWaGr1wOIGLQBRzTX8gKK9RlmcHHcIZo0EFPJo0mf7 Abqpxw== dlv.isc.org.2077IN RRSIG DNSKEY 5 3 7200 20100619164502 20100520164502 64263 dlv.isc.org. LZd6TanU48C2BNKZhuj4vMyquNE9mnbUmk9Zy+NbIKPmJ+h2uLq2EonO GfUkxku7ZPky9DnJ3O05gwcEbVrFDjqtK+hcweu7x+wu0OaXJNsVRJ69 wQpQEkVNgoPNYsHQ6ru65ZwmOm8yRvr/1lXhbJId6j0Y2QZVXvCzVGuA 58Q= ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri May 21 11:45:00 2010 ;; MSG SIZE rcvd: