Re: inconsistency dnssec debuguers response and writing conseil for new areas zone
On 2011-03-01 21:00, Torinthiel wrote: > On 03/01/11 20:17, fakessh @ wrote: > And about OVH - I don't know if it's related, but I've asked Polish OVH > how about providing DNSSEC, as .pl is planned to be signed mid-year, and > they've answered me they will probably be ready. This might, or might > not be related to providing DNSSEC by other OVH branches and for other > registries. I asked this to OVH.fr somewhere around October 2010. They answered that they were working on it and it would be available "soon". I re-asked it mid Februari 2010 to OVH.nl. They answered that it's on their roadmap but they don't have a timing yet... They only could provide me with this forum link: http://forum.ovh.nl/showthread.php?t=963 Greets ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: inconsistency dnssec debuguers response and writing conseil for new areas zone
On 03/01/11 21:52, fakessh @ wrote: > as I now know what key DS uses. That would be the key with id 47103 in your case. The one that has SEP flag, the one that only signs DNSKEY records and not others. Regards, Torinthiel signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: inconsistency dnssec debuguers response and writing conseil for new areas zone
In message <1299012754.7.430.camel@localhost.localdomain>, "fakessh @" writ es: > as I now know what key DS uses. > > I logged into my account and I moved isc dlv record SHA1 DS, > and I thought to receive a new record or something like that. > > well no reply from the ISC is : > A corresponding DNSKEY already exists for this record. Because there are already DLV records for the key in the DLV. ;; ANSWER SECTION: fakessh.eu.dlv.isc.org. 3529IN DLV 47103 3 2 68096942650C1DD89D5BE43A9EEA05BA9C20F09EDC55309F4F1CD348 4D8ED07B fakessh.eu.dlv.isc.org. 3529IN DLV 47103 3 1 CFEA04C5B918359273D6BAC07AE7F2DF5225E357 And the zone itself validates (ad=1). ; <<>> DiG 9.6.0-APPLE-P2 <<>> fakessh.eu soa +adflag ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4080 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;fakessh.eu.IN SOA ;; ANSWER SECTION: fakessh.eu. 38400 IN SOA r13151.ovh.net. postmaster.fakessh.eu. 2011022802 10800 3600 604800 38400 ;; Query time: 2521 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Mar 2 08:45:13 2011 ;; MSG SIZE rcvd: 89 > All comments are welcome to help me find a solution > > nb : I publish on my blog a little article on dnssec > http://fakessh.eu/2011/02/16/faire-marcher-dnssec-sur-son-serveur/ > Le mardi 01 mars 2011 =C3=A0 21:00 +0100, Torinthiel a =C3=A9crit : > > On 03/01/11 20:17, fakessh @ wrote: > > > > > is the repeat isc dlv seems to accept the flag DS > > > in my case i have to a file dsset-fakessh.eu > > > but the file contains two keys DS and i don't know which to use > > > > The DS you have are both for the same key, only one is SHA1 and other > > SHA256. You could try any of them, but see below. > > > > ISC DLV accepts keys, you have to create an account, add your zone and > > keys for it. I remember having some trouble trying to add DS records, > > but DNSKEY worked fine. Of course the zone has to be signed using that > > key, and ISC asks you to add a TXT record at dlv.your.zone (or something > > similar) to prove your ability to modify the zone. > > The procedure is simple and well defined. > > > > And about OVH - I don't know if it's related, but I've asked Polish OVH > > how about providing DNSSEC, as .pl is planned to be signed mid-year, and > > they've answered me they will probably be ready. This might, or might > > not be related to providing DNSSEC by other OVH branches and for other > > registries. > > > > Torinthiel > > ___ > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > -- > gpg --keyserver pgp.mit.edu --recv-key 092164A7 > http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0x092164A7 > > --=-hAV62QMSnDEL5t7IF2op > Content-Type: application/pgp-signature; name=signature.asc > Content-Description: Ceci est une partie de message > =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?= > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.5 (GNU/Linux) > > iD8DBQBNbVyStXI/OwkhZKcRApHLAJ9mpVDpLbdoXNJE2HWrZtEMP5nkOQCfQHxF > OWD+2cnsCQvmY1sJsLmpZoA= > =3tB9 > -END PGP SIGNATURE- > > --=-hAV62QMSnDEL5t7IF2op-- > > > --===8423262514623441036== > Content-Type: text/plain; charset="us-ascii" > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > Content-Disposition: inline > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > --===8423262514623441036==-- > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: inconsistency dnssec debuguers response and writing conseil for new areas zone
as I now know what key DS uses. I logged into my account and I moved isc dlv record SHA1 DS, and I thought to receive a new record or something like that. well no reply from the ISC is : A corresponding DNSKEY already exists for this record. All comments are welcome to help me find a solution nb : I publish on my blog a little article on dnssec http://fakessh.eu/2011/02/16/faire-marcher-dnssec-sur-son-serveur/ Le mardi 01 mars 2011 à 21:00 +0100, Torinthiel a écrit : > On 03/01/11 20:17, fakessh @ wrote: > > > is the repeat isc dlv seems to accept the flag DS > > in my case i have to a file dsset-fakessh.eu > > but the file contains two keys DS and i don't know which to use > > The DS you have are both for the same key, only one is SHA1 and other > SHA256. You could try any of them, but see below. > > ISC DLV accepts keys, you have to create an account, add your zone and > keys for it. I remember having some trouble trying to add DS records, > but DNSKEY worked fine. Of course the zone has to be signed using that > key, and ISC asks you to add a TXT record at dlv.your.zone (or something > similar) to prove your ability to modify the zone. > The procedure is simple and well defined. > > And about OVH - I don't know if it's related, but I've asked Polish OVH > how about providing DNSSEC, as .pl is planned to be signed mid-year, and > they've answered me they will probably be ready. This might, or might > not be related to providing DNSSEC by other OVH branches and for other > registries. > > Torinthiel > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: inconsistency dnssec debuguers response and writing conseil for new areas zone
On 03/01/11 20:17, fakessh @ wrote: > is the repeat isc dlv seems to accept the flag DS > in my case i have to a file dsset-fakessh.eu > but the file contains two keys DS and i don't know which to use The DS you have are both for the same key, only one is SHA1 and other SHA256. You could try any of them, but see below. ISC DLV accepts keys, you have to create an account, add your zone and keys for it. I remember having some trouble trying to add DS records, but DNSKEY worked fine. Of course the zone has to be signed using that key, and ISC asks you to add a TXT record at dlv.your.zone (or something similar) to prove your ability to modify the zone. The procedure is simple and well defined. And about OVH - I don't know if it's related, but I've asked Polish OVH how about providing DNSSEC, as .pl is planned to be signed mid-year, and they've answered me they will probably be ready. This might, or might not be related to providing DNSSEC by other OVH branches and for other registries. Torinthiel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: inconsistency dnssec debuguers response and writing conseil for new areas zone
Le mardi 01 mars 2011 à 09:34 +0100, Laurent Bauer a écrit : > On 28/02/2011 23:35, fakessh @ wrote: > >> This is not handled yet. The .FR zone has been signed since september > >> 2010, but submitting DS for child zones will be supported later this year. > >> See http://operations.afnic.fr for more information. > >> > > thank you for taking the trouble to answer me. > > > > > > I therefore rest with my chain of security provided by isc dlv and wait > > for the DS flag a chance to insert later. > > > > but I wonder one thing I'm not a registar I am a passionate individual, > > how I'm going to do later for the flag for my DS .eu domain and .fr? I > > do not know and still do not understand how > > You will have to ask your registrar to submit the DS to the parent zone, > just as you have to ask your registrar my registrar OVH not implement dnssec for yet > when you want to change the NS > for your zone. i use other dns secondary that does not come from ovh use isc dlv > If they are already implementing DNSSEC, ask them what you are supposed > to provide (the KSK or the DS only) ; for the submission in isc dlv we have their key to submit and we get a new text record it is easy to initiate > I guess there must be a FAQ not FAQ to explicite for implement a DS record > somewhere on the control panel. is the repeat isc dlv seems to accept the flag DS in my case i have to a file dsset-fakessh.eu but the file contains two keys DS and i don't know which to use > Eurid is already ready for DS submission, so you will be able to > complete the whole chain of trust for your .eu domain, if your registrar > is DNSSEC ready. > > Laurent > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: inconsistency dnssec debuguers response and writing conseil for new areas zone
On 28/02/2011 23:35, fakessh @ wrote: >> This is not handled yet. The .FR zone has been signed since september >> 2010, but submitting DS for child zones will be supported later this year. >> See http://operations.afnic.fr for more information. >> > thank you for taking the trouble to answer me. > > > I therefore rest with my chain of security provided by isc dlv and wait > for the DS flag a chance to insert later. > > but I wonder one thing I'm not a registar I am a passionate individual, > how I'm going to do later for the flag for my DS .eu domain and .fr? I > do not know and still do not understand how You will have to ask your registrar to submit the DS to the parent zone, just as you have to ask your registrar when you want to change the NS for your zone. If they are already implementing DNSSEC, ask them what you are supposed to provide (the KSK or the DS only) ; I guess there must be a FAQ somewhere on the control panel. Eurid is already ready for DS submission, so you will be able to complete the whole chain of trust for your .eu domain, if your registrar is DNSSEC ready. Laurent ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: inconsistency dnssec debuguers response and writing conseil for new areas zone
Le lundi 28 février 2011 à 20:14 +0100, Laurent Bauer a écrit : > Eivind Olsen wrote: > > > > Well, I see a few different errors for that domain: > > > > I don't see any DS records for your domain when I query the fr. > > nameservers. I don't know how it's handled in that TLD but I guess > > you somehow need to tell your registrar about your KSK, so they > > can put in the correct DS record. > > This is not handled yet. The .FR zone has been signed since september > 2010, but submitting DS for child zones will be supported later this year. > See http://operations.afnic.fr for more information. > thank you for taking the trouble to answer me. I therefore rest with my chain of security provided by isc dlv and wait for the DS flag a chance to insert later. but I wonder one thing I'm not a registar I am a passionate individual, how I'm going to do later for the flag for my DS .eu domain and .fr? I do not know and still do not understand how > Laurent > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: inconsistency dnssec debuguers response and writing conseil for new areas zone
Eivind Olsen wrote: Well, I see a few different errors for that domain: I don't see any DS records for your domain when I query the fr. > nameservers. I don't know how it's handled in that TLD but I guess > you somehow need to tell your registrar about your KSK, so they can put in the correct DS record. This is not handled yet. The .FR zone has been signed since september 2010, but submitting DS for child zones will be supported later this year. See http://operations.afnic.fr for more information. The delegation of your domain looks a bit odd, the fr. nameservers claims you have: - ns0.xname.org - ns1.xname.org - ns1.novacrea.fr - r13151.ovh.net ...but if I query any of these, I'm told there's also ns2.xname.org This NS record was most certainly added in the child zone after the domain registration, as the registry performs a zonecheck before adding / updating nameservers. Among other things, the nameserver list in each zone must match the one you want to use at the registry level, or else the NS update is not processed. At the moment, ns1.xname.org gives an older version of the zone, with a serial number "2011021401" That is another requirement for the zonecheck, the serial number must match in all zones. Laurent ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: inconsistency dnssec debuguers response and writing conseil for new areas zone
Den 28. feb. 2011 kl. 17.46 skrev fakessh @: > for example the test shows me some time > http://dnssec-debugger.verisignlabs.com/nicolaspichot.fr the results are > not consistent with my expectations Well, I see a few different errors for that domain: I don't see any DS records for your domain when I query the fr. nameservers. I don't know how it's handled in that TLD but I guess you somehow need to tell your registrar about your KSK, so they can put in the correct DS record. The delegation of your domain looks a bit odd, the fr. nameservers claims you have: - ns0.xname.org - ns1.xname.org - ns1.novacrea.fr - r13151.ovh.net ...but if I query any of these, I'm told there's also ns2.xname.org At the moment, ns1.xname.org gives an older version of the zone, with a serial number "2011021401" Check the list of errors on http://dnsviz.net/d/nicolaspichot.fr/dnssec/ especially about missing key 12961. -- Regards Eivind Olsen eiv...@aminor.no ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
inconsistency dnssec debuguers response and writing conseil for new areas zone
hello bind network I just installed bind 9.7.3 version and I just noticed that the areas have been modified by the rpm ( i think ). they seem to have greater respect for the standards was the previous version uses version 9.7.0-6.p2 depositing rpm centos testing they are reading that you advise me to learn how to write a zone file I possess three domains signs with dnssec. and I noticed an inconsistency in the responses of debugguers it probably comes from my server secondary side I do not control completely the configuration but for example the test shows me some time http://dnssec-debugger.verisignlabs.com/nicolaspichot.fr the results are not consistent with my expectations thanks many return are welcome -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users