Re: How to validate DNSSEC signed record with dig?

2012-02-08 Thread William Thierry SAMEN 
Hi, thanks for the quick answer,

but my problem is still not resolved, i check all your solutions but
nothing.

I'll show you my file zone which i wanted to sign and the command i used.

My file zone:
; This is a zone-signing key, keyid 12762, for *../etc/toto.com.*
; Created: 20120207101131 (Tue Feb  7 11:11:31 2012)
; Publish: 20120207101131 (Tue Feb  7 11:11:31 2012)
; Activate: 20120207101131 (Tue Feb  7 11:11:31 2012)
*../etc/toto.com*. IN DNSKEY 256 3 5
AwEAAbpc1rBsrB3XrOlUAE1Xxfyef9POsH8jypLVImuBPEGgE

Command line that i used for sign this zone
./dnssec-signzone -p -t -g -k KSK.key -o toto.com ../etc/toto.com ZSK.key

Have you seen some mistake?

Thanks for your help.

2012/2/7 Spain, Dr. Jeffry A. spa...@countryday.net

  dnssec-signzone: fatal: key myKSK.key not at origin

 What are the contents of myKSK.key?
 The format is mydomain.com. IN DNSKEY ... where mydomain.com is the
 domain origin.

 Jeffry A. Spain
 Network Administrator
 Cincinnati Country Day School




-- 
Cordialement.
Thierry *SAMEN.*
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to validate DNSSEC signed record with dig?

2012-02-08 Thread Tony Finch 
William Thierry SAMEN thierry.sa...@gmail.com wrote:

 My file zone:

Er this looks like a key file, not a zone file. The key has been generated
incorrectly: it has a file name where the zone name should be.

 ; This is a zone-signing key, keyid 12762, for *../etc/toto.com.*
 ; Created: 20120207101131 (Tue Feb  7 11:11:31 2012)
 ; Publish: 20120207101131 (Tue Feb  7 11:11:31 2012)
 ; Activate: 20120207101131 (Tue Feb  7 11:11:31 2012)
 *../etc/toto.com*. IN DNSKEY 256 3 5 
 AwEAAbpc1rBsrB3XrOlUAE1Xxfyef9POsH8jypLVImuBPEGgE

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
Viking, North Utsire: Southerly 5 to 7, occasionally gale 8 in Viking. Rough,
becoming very rough in Viking. Rain later. Good, becoming moderate later.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to validate DNSSEC signed record with dig?

2012-02-08 Thread William Thierry SAMEN 
Absolutely Tony that was a key file which has been generated by
dnssec-keygen command.

My zone file is so simple and its look like that i have checked it before
with the named-checkzone and all is good in my file zone.

I changed option -o absolute way of my domain by the option -o my
domain only and now i had this error:

dnssec-signzone: error: dns_master_load: ../etc/toto.com:12: toto.com: not
at top of zone
dnssec-signzone: fatal: failed loading zone from '../etc/toto.com': not at
top of zone

at the line 12 of my file zone i haven't seen any mistake.

here is my zone file:

$ORIGIN .
$TTL 17200  ; 4 hours 46 minutes 40 seconds
toto.com. IN SOA  ns10.boom.fr. postmaster.boom.com. (
2012020802 ; serial
216000 ; refresh (2 days 12 hours)
3600   ; retry (1 hour)
360; expire (5 weeks 6 days 16
hours)
172800 ; minimum (2 days)
)
NS  ns.boom.fr.
NS  ns2.boom.fr.
A   217.128.32.85
$ORIGIN toto.com.
*   A   217.128.32.85

;DNSsec keys starts here

$include
/exec/applis/thierry/DNS/sbin/K%2Fexec%2Fapplis%2Fthierry%2Fdns%2Fetc%2Ftoto.com.+005+12762.key
$include
/exec/applis/thierry/DNS/sbin/K%2Fexec%2Fapplis%2Fthierry%2Fdns%2Fetc%2Ftoto.com.+005+60826.key

Thanks


2012/2/8 Tony Finch d...@dotat.at

 William Thierry SAMEN thierry.sa...@gmail.com wrote:
 
  My file zone:

 Er this looks like a key file, not a zone file. The key has been generated
 incorrectly: it has a file name where the zone name should be.

  ; This is a zone-signing key, keyid 12762, for *../etc/toto.com.*
  ; Created: 20120207101131 (Tue Feb  7 11:11:31 2012)
  ; Publish: 20120207101131 (Tue Feb  7 11:11:31 2012)
  ; Activate: 20120207101131 (Tue Feb  7 11:11:31 2012)
  *../etc/toto.com*. IN DNSKEY 256 3 5
 AwEAAbpc1rBsrB3XrOlUAE1Xxfyef9POsH8jypLVImuBPEGgE

 Tony.
 --
 f.anthony.n.finch  d...@dotat.at  http://dotat.at/
 Viking, North Utsire: Southerly 5 to 7, occasionally gale 8 in Viking.
 Rough,
 becoming very rough in Viking. Rain later. Good, becoming moderate later.




-- 
Cordialement.
Thierry *SAMEN.*
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to validate DNSSEC signed record with dig?

2012-02-08 Thread Tony Finch 
William Thierry SAMEN thierry.sa...@gmail.com wrote:

 dnssec-signzone: error: dns_master_load: ../etc/toto.com:12: toto.com: not at 
 top of zone
 dnssec-signzone: fatal: failed loading zone from '../etc/toto.com': not at 
 top of zone

This is because your zone uses an include directive to import the key
files, and keys were generated incorrectly: they have file names where the
zone name should be.

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
Bailey: Southerly or southwesterly 4 or 5, increasing 6 to gale 8 for a time
in north and west. Very rough or high. Showers. Good, occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: How to validate DNSSEC signed record with dig?

2012-02-08 Thread Spain, Dr. Jeffry A. 
William: In my tests of DNSSEC, I have used 'auto-dnsssec maintain;' rather 
than explicitly signing the zone with dnssec-signzone. I believe I recall that 
you are using bind 9.8, so this should work for you as well. Here's something 
you can try:

In your bind configuration use the following zone stanza:
zone toto.com {
type master;
file /var/lib/bind/toto.com/toto.com.db;
key-directory /var/lib/bind/toto.com;
auto-dnssec maintain;
};

You will probably want to add some access control to this as well.

Now in the directory /var/lib/bind/toto.com (or the directory of your choice as 
long as it is specified in the configuration above), place all of your *.key 
and *.private files. Also place your unsigned zone file toto.com.db with 
contents as follows (Omit the DNSSEC info you currently have at the bottom):

$ORIGIN .
$TTL 17200  ; 4 hours 46 minutes 40 seconds
toto.com. IN SOA  ns10.boom.fr. postmaster.boom.com. (
2012020802 ; serial
216000 ; refresh (2 days 12 hours)
3600   ; retry (1 hour)
360; expire (5 weeks 6 days 16 hours)
172800 ; minimum (2 days)
)
NS  ns.boom.fr.
NS  ns2.boom.fr.
A   217.128.32.85
$ORIGIN toto.com.
*   A   217.128.32.85

If you are running bind under a UID other than root, make sure all the files 
are readable, and that the zone file is writable, by that UID. Restart the bind 
service, and bind will sign your zone using the keys you have provided as long 
as their metadata is timed appropriately, i.e. Publish and Activate dates are 
in the past, and Inactive and Delete dates in the future. To see the metadata, 
execute 'dnssec-settime -p all your_key_file_name.private'. If you need to 
change the timing metadata, use dnssec-settime again. See the ARM for details. 
Caution: dnssec-setime will 'chmod 600' your private key files.

I have been successful with this approach, and hope it works well for you also. 
Jeff.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to validate DNSSEC signed record with dig?

2012-02-07 Thread William Thierry SAMEN 
Hi everybody,
sorry for my post i'm not read to bring a light to the 1st problem but to
find help.

I'm triying to sign a zone on Bind 9.8-P1 but i have this message:

*dnssec-signzone: fatal: key myKSK.key not at origin*

I just want help if someone has been confronted with this kind of message
i'll be so happy to have a few idea to debugg my problem

Thx.


2012/2/6 Tony Finch d...@dotat.at

 Spain, Dr. Jeffry A. spa...@countryday.net wrote:
 
  Checking your two name servers, 8.8.8.8 (google-public-dns-a.google.com)
  doesn't appear to offer DNSSEC validation, and 78.46.213.227
  (rms.coozila.com) doesn't respond to my query at all.

 It's worse than that. Google Public DNS doesn't support DNSSEC at all, so
 you cannot use it to query DNSSEC records. DNSSEC requires resolvers to
 handle RRSIG and DS records in special ways even if they are not
 validating the signatures.

 Tony.
 --
 f.anthony.n.finch  d...@dotat.at  http://dotat.at/
 North Utsire, South Utsire: Cyclonic mainly southerly or southeasterly, 5
 to
 7, occasionally gale 8 in east at first. Rough. Rain or snow. Moderate or
 poor.
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




-- 
Cordialement.
Thierry *SAMEN.*
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to validate DNSSEC signed record with dig?

2012-02-07 Thread Tony Finch 
William Thierry SAMEN thierry.sa...@gmail.com wrote:

 I'm triying to sign a zone on Bind 9.8-P1 but i have this message:

 *dnssec-signzone: fatal: key myKSK.key not at origin*

It means the zone name in the key is not the same as the zone you are
signing.

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
Rockall, Malin, Hebrides, Bailey: Southerly 6 to gale 8, occasionally severe
gale 9 except in Malin, veering northwesterly 4 or 5 for a time except in
Malin and east Hebrides. Very rough, occasionally high except in Malin.
Occasional rain. Moderate or poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: How to validate DNSSEC signed record with dig?

2012-02-07 Thread Spain, Dr. Jeffry A. 
 dnssec-signzone: fatal: key myKSK.key not at origin

What are the contents of myKSK.key?
The format is mydomain.com. IN DNSKEY ... where mydomain.com is the domain 
origin.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: How to validate DNSSEC signed record with dig?

2012-02-06 Thread Tony Finch 
Spain, Dr. Jeffry A. spa...@countryday.net wrote:

 Checking your two name servers, 8.8.8.8 (google-public-dns-a.google.com)
 doesn't appear to offer DNSSEC validation, and 78.46.213.227
 (rms.coozila.com) doesn't respond to my query at all.

It's worse than that. Google Public DNS doesn't support DNSSEC at all, so
you cannot use it to query DNSSEC records. DNSSEC requires resolvers to
handle RRSIG and DS records in special ways even if they are not
validating the signatures.

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
North Utsire, South Utsire: Cyclonic mainly southerly or southeasterly, 5 to
7, occasionally gale 8 in east at first. Rough. Rain or snow. Moderate or
poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: How to validate DNSSEC signed record with dig?

2012-02-05 Thread Spain, Dr. Jeffry A. 
 I am trying to validate DNSSEC signature on ns record using dig.
 Domain nox.su is properly signed using DNSSEC. 
 I am trying to validate it as dicribed here:
 http://bryars.eu/2010/08/validating-and-exploring-dnssec-with-dig/
 $ dig +nocomments +nostats +nocmd +noquestion -t dnskey .  trusted-key.key $ 
 dig +topdown +sigchase  nox.su
 but it gives me ;; DSset is missing to continue validation: FAILED error 
 while processing the whole hierarchy of zones.

 $ cat /etc/resolv.conf
 # Generated by NetworkManager
 domain router
 search router
 nameserver 8.8.8.8
 nameserver 78.46.213.227

Checking your two name servers, 8.8.8.8 (google-public-dns-a.google.com) 
doesn't appear to offer DNSSEC validation, and 78.46.213.227 (rms.coozila.com) 
doesn't respond to my query at all.

A known-good publicly accessible DNSEC-validating recursive resolver is 
available at bind.odvr.dns-oarc.net. If I run dig @bind.odvr.dns-oarc.net 
nox.su +dnssec, I get an AD (authenticated data) flag returned for the A 
record with IPv4 address 50.16.193.159. This is a prima facie indication that 
DNSSEC is working for nox.su. The +topdown option isn't available to me (bind 
9.9.0rc2 version of dig).

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users