Re: rndc-key has expired
On Wed, Mar 23, 2011 at 08:57:26PM +0100, fakessh @ wrote: hi guru I'm walking on the same server rndc and named Then all I can suggest is generating a new key. What puzzles me is that I don't see a way to see or adjust dates on the generated keys. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc-key has expired
On Wed, Mar 23, 2011 at 10:09:06PM +0100, fakessh @ wrote: I can wait how long before this ends? ... Are you running 'rndc' from the same server on which the 'named' is running? If not, make sure that both have the same time. ... I don't understand the question. Is it at all related to my suggestion? -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc-key has expired
I edit the file named.conf modification update-policy { grant * self * A TXT; }; to update-policy local; it seems more logical. but I'm still stuck on the validation of isc dlv. the script tells me lost keys and I am therefore blocks any update is welcome Le mercredi 23 mars 2011 à 02:30 +0100, fakessh @ a écrit : I changed options update-policy { grant fakessh.eu. name fakessh.eu. A TXT; }; since update-policy { grant * self * A TXT; }; Le mardi 22 mars 2011 à 14:59 +0100, fakessh @ a écrit : hi bind guru It appears after the log that my signature rndc-key has expired. how to update it ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc-key has expired
I edit the file named.conf modification update-policy { grant * self * A TXT; }; to update-policy local; it seems more logical. but I'm still stuck on the validation of isc dlv. the script tells me lost keys Which script? What exactly does it say? I'm guessing you might have enabled dynamic updates in a DNSSEC signed zone, without BIND having access to the private keys needed to sign, but that's a wild guess really. Regards Eivind Olsen ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc-key has expired
I use and bind rndc and dlv isc for dnssec my zone config like this zone renelacroute.fr { type master; file /var/named/renelacroute.fr.hosts; auto-dnssec maintain; update-policy local; key-directory /var/named/keys/; allow-transfer { 213.251.*.*;87.98.*.*; 195.234.*.*;94.23.*.\ *; 193.223.*.*; }; }; and my log dnssec it is 23-Mar-2011 16:18:17.701 dnssec: debug 2: tsig key 'rndc-key': signature has expired 23-Mar-2011 16:18:17.701 dnssec: debug 2: tsig key 'rndc-key': signature has expired 23-Mar-2011 16:18:18.244 dnssec: debug 2: tsig key 'rndc-key': signature has expired I can not use the script to validate the answers (for dnssec ) I isc SUCCESS 94.23.59.30 answered DNSKEY query with rcode NOERROR 5.814:SUCCESS 87.98.164.164 answered DNSKEY query with rcode NOERROR 5.814:SUCCESS 87.98.186.232 answered DNSKEY query with rcode NOERROR 5.814:INFO Total answers: 3 5.815:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.164.164 5.815:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.186.232 5.816:SUCCESS All DNSKEY responses are identical. 5.822:DEBUG VERIFY-DNSKEY: Checking tag=62721 flags=256 alg=RSASHA1 AwEAAb20...UzDMzFplHk= 5.822:DEBUG VERIFY-DNSKEY: Ignoring key. 5.822:DEBUG VERIFY-DNSKEY: Checking tag=48793 flags=257 alg=RSASHA1 AwEAAbj7...WFfCkn7o38= 5.822:DEBUG VERIFY-DNSKEY: Ignoring key. 5.822:INFO VERIFY-DNSKEY: 2 DNSKEYs found. 5.822:INFO VERIFY-DNSKEY: 0 keys found after filtering. 5.822:DEBUG VERIFY-DNSKEY: Using keys: 5.822:DEBUG VERIFY-DNSKEY: To verify rrset type DNSKEY 5.822:FAILURE VERIFY-DNSKEY: No keys found after filtering. 5.822:FAILURE DNSKEY signature did not validate. 5.822:FINAL_FAILURE FAILURE Le mercredi 23 mars 2011 à 09:29 +0100, Eivind Olsen a écrit : I edit the file named.conf modification update-policy { grant * self * A TXT; }; to update-policy local; it seems more logical. but I'm still stuck on the validation of isc dlv. the script tells me lost keys Which script? What exactly does it say? I'm guessing you might have enabled dynamic updates in a DNSSEC signed zone, without BIND having access to the private keys needed to sign, but that's a wild guess really. Regards Eivind Olsen -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc-key has expired
hi isc hi list hi guru of bind errors continue to recur rndc-key expired But I apply the command for create the key dnssec-keygen -a HMAC-MD5 -b 512 -n HOST rndc-key Le mercredi 23 mars 2011 à 16:24 +0100, fakessh @ a écrit : I use and bind rndc and dlv isc for dnssec my zone config like this zone renelacroute.fr { type master; file /var/named/renelacroute.fr.hosts; auto-dnssec maintain; update-policy local; key-directory /var/named/keys/; allow-transfer { 213.251.*.*;87.98.*.*; 195.234.*.*;94.23.*.\ *; 193.223.*.*; }; }; and my log dnssec it is 23-Mar-2011 16:18:17.701 dnssec: debug 2: tsig key 'rndc-key': signature has expired 23-Mar-2011 16:18:17.701 dnssec: debug 2: tsig key 'rndc-key': signature has expired 23-Mar-2011 16:18:18.244 dnssec: debug 2: tsig key 'rndc-key': signature has expired I can not use the script to validate the answers (for dnssec ) I isc SUCCESS 94.23.59.30 answered DNSKEY query with rcode NOERROR 5.814:SUCCESS 87.98.164.164 answered DNSKEY query with rcode NOERROR 5.814:SUCCESS 87.98.186.232 answered DNSKEY query with rcode NOERROR 5.814:INFO Total answers: 3 5.815:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.164.164 5.815:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.186.232 5.816:SUCCESS All DNSKEY responses are identical. 5.822:DEBUG VERIFY-DNSKEY: Checking tag=62721 flags=256 alg=RSASHA1 AwEAAb20...UzDMzFplHk= 5.822:DEBUG VERIFY-DNSKEY: Ignoring key. 5.822:DEBUG VERIFY-DNSKEY: Checking tag=48793 flags=257 alg=RSASHA1 AwEAAbj7...WFfCkn7o38= 5.822:DEBUG VERIFY-DNSKEY: Ignoring key. 5.822:INFO VERIFY-DNSKEY: 2 DNSKEYs found. 5.822:INFO VERIFY-DNSKEY: 0 keys found after filtering. 5.822:DEBUG VERIFY-DNSKEY: Using keys: 5.822:DEBUG VERIFY-DNSKEY: To verify rrset type DNSKEY 5.822:FAILURE VERIFY-DNSKEY: No keys found after filtering. 5.822:FAILURE DNSKEY signature did not validate. 5.822:FINAL_FAILURE FAILURE Le mercredi 23 mars 2011 à 09:29 +0100, Eivind Olsen a écrit : I edit the file named.conf modification update-policy { grant * self * A TXT; }; to update-policy local; it seems more logical. but I'm still stuck on the validation of isc dlv. the script tells me lost keys Which script? What exactly does it say? I'm guessing you might have enabled dynamic updates in a DNSSEC signed zone, without BIND having access to the private keys needed to sign, but that's a wild guess really. Regards Eivind Olsen ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc-key has expired
What is this??? To: fakessh @ fake...@fakessh.eu On Tue, Mar 22, 2011 at 02:59:22PM +0100, fakessh @ wrote: hi bind guru It appears after the log that my signature rndc-key has expired. how to update it -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 Are you running 'rndc' from the same server on which the 'named' is running? If not, make sure that both have the same time. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc-key has expired
hi guru I'm walking on the same server rndc and named Le mercredi 23 mars 2011 à 14:46 -0400, Joseph S D Yao a écrit : What is this??? To: fakessh @ fake...@fakessh.eu On Tue, Mar 22, 2011 at 02:59:22PM +0100, fakessh @ wrote: hi bind guru It appears after the log that my signature rndc-key has expired. how to update it -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 Are you running 'rndc' from the same server on which the 'named' is running? If not, make sure that both have the same time. -- /*\ ** ** Joe Yaoj...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc-key has expired
I can wait how long before this ends? Le mercredi 23 mars 2011 à 14:46 -0400, Joseph S D Yao a écrit : What is this??? To: fakessh @ fake...@fakessh.eu On Tue, Mar 22, 2011 at 02:59:22PM +0100, fakessh @ wrote: hi bind guru It appears after the log that my signature rndc-key has expired. how to update it -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 Are you running 'rndc' from the same server on which the 'named' is running? If not, make sure that both have the same time. -- /*\ ** ** Joe Yaoj...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc-key has expired
In message 1300893881.12273.67.camel@localhost.localdomain, fakessh @ write s: I use and bind rndc and dlv isc for dnssec=20 my zone config like this zone renelacroute.fr { type master; file /var/named/renelacroute.fr.hosts; auto-dnssec maintain; update-policy local; key-directory /var/named/keys/; allow-transfer { 213.251.*.*;87.98.*.*; 195.234.*.*;94.23.*.\ *; 193.223.*.*; }; }; and my log dnssec it is 23-Mar-2011 16:18:17.701 dnssec: debug 2: tsig key 'rndc-key': signature has expired 23-Mar-2011 16:18:17.701 dnssec: debug 2: tsig key 'rndc-key': signature has expired 23-Mar-2011 16:18:18.244 dnssec: debug 2: tsig key 'rndc-key': signature has expired I can not use the script to validate the answers (for dnssec ) I isc RNDC, TSIG and DNSSEC are *different* things. TSIG is a transaction signature and by default it is valid for 5 minutes (tsig.fudge) from when it is computed. TSIG can be used on zone transfers and to secure individual DNS transactions. The format of TSIG log messages is tsig key '%s': %s and tsig key '%s' (%s): %s. TSIG uses HMAC with private keys or it can use public key cyptograhy similar to DNSSEC. The DNS server and client being out of time sync can generate the above messages. A slow TSIG signed zone transfer can also generate the messages above even when the server and client are in sync if it takes more than 5 minutes to send the signed messages in the axfr/ixfr stream to the client. RNDC, uses HMAC (private keys). It shares hmac keys with TSIG but passes the expiry values differently. The format of its log messages is invalid command from %s: %s The above messages are not rndc related. DNSSEC uses RRSIGs and they are valid for 30 days by default. DNSSEC secures records in the transaction, not the transaction itself. You have a secure transaction if all the components of the transaction are secure and otherwise sensible. The above messages are not DNSSEC related. The message below are DNSSEC related. Mark SUCCESS 94.23.59.30 answered DNSKEY query with rcode NOERROR 5.814:SUCCESS 87.98.164.164 answered DNSKEY query with rcode NOERROR 5.814:SUCCESS 87.98.186.232 answered DNSKEY query with rcode NOERROR 5.814:INFO Total answers: 3 5.815:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.164.164 5.815:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.186.232 5.816:SUCCESS All DNSKEY responses are identical. 5.822:DEBUG VERIFY-DNSKEY: Checking tag=3D62721 flags=3D256 alg=3DRSASHA1 AwEAAb20...UzDMzFplHk=3D 5.822:DEBUG VERIFY-DNSKEY: Ignoring key. 5.822:DEBUG VERIFY-DNSKEY: Checking tag=3D48793 flags=3D257 alg=3DRSASHA1 AwEAAbj7...WFfCkn7o38=3D 5.822:DEBUG VERIFY-DNSKEY: Ignoring key. 5.822:INFO VERIFY-DNSKEY: 2 DNSKEYs found. 5.822:INFO VERIFY-DNSKEY: 0 keys found after filtering. 5.822:DEBUG VERIFY-DNSKEY: Using keys: 5.822:DEBUG VERIFY-DNSKEY: To verify rrset type DNSKEY 5.822:FAILURE VERIFY-DNSKEY: No keys found after filtering. 5.822:FAILURE DNSKEY signature did not validate. 5.822:FINAL_FAILURE FAILURE Le mercredi 23 mars 2011 =C3=A0 09:29 +0100, Eivind Olsen a =C3=A9crit : I edit the file named.conf modification update-policy { grant * self * A TXT; }; to update-policy local; it seems more logical. but I'm still stuck on the validation of isc dlv. the script tells me lost keys =20 Which script? What exactly does it say? =20 I'm guessing you might have enabled dynamic updates in a DNSSEC signed zone, without BIND having access to the private keys needed to sign, but that's a wild guess really. =20 Regards Eivind Olsen =20 =20 --=20 gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=3Dgetsearch=3D0x092164A7 --=-nHmVHAZDpObhKURw8YiG Content-Type: application/pgp-signature; name=signature.asc Content-Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?= -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQBNihC5tXI/OwkhZKcRAq2dAJ0SsEztSh/rgrKCYyo3JerXzjsOxgCggvQv 5jISvLMReyxov6dURql1lw0= =e9RP -END PGP SIGNATURE- --=-nHmVHAZDpObhKURw8YiG-- --===8954482665668778810== Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users --===8954482665668778810==-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
rndc-key has expired
hi bind guru It appears after the log that my signature rndc-key has expired. how to update it -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc-key has expired
I changed options update-policy { grant fakessh.eu. name fakessh.eu. A TXT; }; since update-policy { grant * self * A TXT; }; Le mardi 22 mars 2011 à 14:59 +0100, fakessh @ a écrit : hi bind guru It appears after the log that my signature rndc-key has expired. how to update it ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 signature.asc Description: Ceci est une partie de message numériquement signée ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users