Re: [dns-operations] help with a resolution

On Fri, Jan 10, 2020 at 08:09:20PM +0530, Mukund Sivaraman wrote: > > > If there is a default, it should promptly change to 8 or 13. > > > > I will prioritize it. > > This work has been merged now in Loop, to match the recommendations of > RFC 8624: > > * dnssec-keygen by default creates

Re: [dns-operations] help with a resolution

On Thu, Jan 09, 2020 at 12:38:05PM +0530, Mukund Sivaraman wrote: > > > Loop's toolchain has had the default algorithms so, which it inherited. > > > There > > > is a branch that changes the defaults, but it won't be merged in the first > > > quarter of this year. > > > > If there is a default,

Re: [dns-operations] help with a resolution

On Wed, Jan 08, 2020 at 01:45:44PM -0500, Viktor Dukhovni wrote: > On Wed, Jan 08, 2020 at 11:34:00PM +0530, Mukund Sivaraman wrote: > > > > > [muks@jurassic ~/tmp-dnssec]$ dnssec-dsfromkey Kexample.org.+005+04222 > > > > example.org. IN DS 4222 5 1 7B83C10E0220CA65139DFFE14F3F24B8D8ACAEA2 > > >

Re: [dns-operations] help with a resolution

On Wed, Jan 08, 2020 at 08:07:22PM +, Paul Vixie wrote: > On Wednesday, 8 January 2020 18:45:44 UTC Viktor Dukhovni wrote: > > > > Loop's toolchain has had the default algorithms so, which it inherited. > > > There is a branch that changes the defaults, but it won't be merged in > > > the

Re: [dns-operations] help with a resolution

On Wed, Jan 08, 2020 at 02:53:42PM -0500, Warren Kumari wrote: > Can someone please explain to me in baby words how the SHA-1 issue affects > DNSSEC? [...] but SHA-1 is still 2nd-preimage resistant - given the hash > a94a8fe5ccb19ba61c4c0873d391e987982fbbd3, it is infeasible to find another >

Re: [dns-operations] help with a resolution

On Wednesday, 8 January 2020 18:45:44 UTC Viktor Dukhovni wrote: > > Loop's toolchain has had the default algorithms so, which it inherited. > > There is a branch that changes the defaults, but it won't be merged in > > the first quarter of this year. > > If there is a default, it should

Re: [dns-operations] help with a resolution

On Wed, Jan 8, 2020 at 1:54 PM Viktor Dukhovni wrote: > > On Wed, Jan 08, 2020 at 11:34:00PM +0530, Mukund Sivaraman wrote: > > > > > [muks@jurassic ~/tmp-dnssec]$ dnssec-dsfromkey Kexample.org.+005+04222 > > > > example.org. IN DS 4222 5 1 7B83C10E0220CA65139DFFE14F3F24B8D8ACAEA2 > > > >

Re: [dns-operations] help with a resolution

On Wed, Jan 08, 2020 at 11:34:00PM +0530, Mukund Sivaraman wrote: > > > [muks@jurassic ~/tmp-dnssec]$ dnssec-dsfromkey Kexample.org.+005+04222 > > > example.org. IN DS 4222 5 1 7B83C10E0220CA65139DFFE14F3F24B8D8ACAEA2 > > > example.org. IN DS 4222 5 2 > > >

Re: [dns-operations] help with a resolution

Hi Viktor On Wed, Jan 08, 2020 at 10:05:53AM -0500, Viktor Dukhovni wrote: > On Wed, Jan 08, 2020 at 08:11:56PM +0530, Mukund Sivaraman wrote: > > > [muks@jurassic ~/tmp-dnssec]$ dnssec-keygen -f KSK example.org > > Generating key pair..+ .+ > >

Re: [dns-operations] help with a resolution

On Wed, Jan 08, 2020 at 07:05:04PM +0800, William C wrote a message of 15 lines which said: > 1. how to check if a zone has a valid DNSSEC key? If you are not a DNSSEC expert, DNSviz is a handy tool > 2. how to validate if the zone has been signed with correct key?

Re: [dns-operations] help with a resolution

On Wed, Jan 08, 2020 at 08:11:56PM +0530, Mukund Sivaraman wrote: > [muks@jurassic ~/tmp-dnssec]$ dnssec-keygen -f KSK example.org > Generating key pair..+ .+ > Kexample.org.+005+04222 > > [muks@jurassic ~/tmp-dnssec]$ dnssec-dsfromkey Kexample.org.+005+04222

Re: [dns-operations] help with a resolution

On Wed, Jan 08, 2020 at 07:05:04PM +0800, William C wrote: > Thanks all for explains. > I am new to DNSSEC, so I have questions: > > 1. how to check if a zone has a valid DNSSEC key? The hash in the DS record in the parent zone should correspond to the DNSKEY at the apex of your (child) zone.

Re: [dns-operations] help with a resolution

Thanks all for explains. I am new to DNSSEC, so I have questions: 1. how to check if a zone has a valid DNSSEC key? 2. how to validate if the zone has been signed with correct key? Regards. on 2020/1/8 19:00, Stephane Bortzmeyer wrote: As explained by several experts, this domain is

Re: [dns-operations] help with a resolution

On Wed, Jan 08, 2020 at 08:56:41AM +0800, William C wrote a message of 59 lines which said: > Can you help check why public nameservers (all 8.8.8.8, 1.1.1.1, 9.9.9.9 > etc) can't resolve this domain? As explained by several experts, this domain is DNSSEC-broken. This has nothing to to with

Re: [dns-operations] help with a resolution

On Tue, Jan 07, 2020 at 08:37:45PM -0500, Viktor Dukhovni wrote: > That's easy, the domain is delegated signed: > > pike-aviation.com. IN DS 41388 7 1 > fc9228e1b977dcd5c830a5c0101532e225e173cf FWIW, the DS RRset and DNSKEYs have been in place since ~2018-01-10. domain |

Re: [dns-operations] help with a resolution

Your DNSSEC is broken - see https://dnsviz.net/d/pike-aviation.com/dnssec/ .com says that the domain is signed (with keyid 41388), but there is no DNSKEY in the zone. W On Tue, Jan 7, 2020 at 8:33 PM William C wrote: > > Hi > > Can you help check why public nameservers (all 8.8.8.8, 1.1.1.1,

Re: [dns-operations] help with a resolution

On Wed, Jan 08, 2020 at 08:56:41AM +0800, William C wrote: > Can you help check why public nameservers (all 8.8.8.8, 1.1.1.1, 9.9.9.9 > etc) can't resolve this domain? > > $ dig pike-aviation.com @8.8.8.8 > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15133 That's easy, the domain is

[dns-operations] help with a resolution

Hi Can you help check why public nameservers (all 8.8.8.8, 1.1.1.1, 9.9.9.9 etc) can't resolve this domain? $ dig pike-aviation.com @8.8.8.8 ; <<>> DiG 9.10.3-P4-Ubuntu <<>> pike-aviation.com @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: