RR format error (DNSSEC related?)
Marcel Lammerse
lammerse at xs4all.nl
Wed Aug 25 21:37:40 UTC 1999
Hi,
I'm currently looking into DNSSEC and I have setup two computers running
bind on Linux PC's. I originally used version 8.1.2 when the problem
occured. This evening I downloaded the version that was recently announced,
8.2.2 but I still experienced the same problem. It's probably a
configuration error on my part, but it's not obvious to me. That's why I'm
turning to you DNS gurus ;)
Ok, here's the deal. The servers are completely isolated from everything
else. There's just a cross-cable connecting them.
Machine A (ns.naboo.com)
authorative for .com
delegates two zones to machine B : lightside.com and darkside.com
Machine B (ns.sith.com)
authoritave for lightside.com and darkside.com
Right. I've setup DNSSEC according to the dnssigner documentation and the
presentation Cricket has put on the web. Machine A holds a self-signed DSA
keypair and has used its private-key to sign machine B's zone files. This
seems to work properly, take a look for yourself:
[root at amidala named]# nslookup
Default Server: ns.naboo.com
Address: 192.168.1.1
> maul.darkside.com
Server: ns.naboo.com
Address: 192.168.1.1
Answer crypto-validated by server:
Name: maul.darkside.com
Address: 192.168.1.5
However, when I start querying for NS-records, this happens:
> set type=ns
> lightside.com
Server: ns.naboo.com
Address: 192.168.1.1
Non-authoritative answer:
lightside.com nameserver = jedi.lightside.com
Authoritative answers can be found from:
jedi.lightside.com internet address = 192.168.1.2
lightside.com record type KEY, interpreted as:
?. 1H IN KEY 0x4101 3 3 (
At9YZu89gbCReUbjqHx7EsCwtQRlw72ItNHfflIXryMyfvz9
ZZvdTArHzAEj6b3vQFpTswV4E+CABkr3kGY3d8w1jZLFzWRV
9Vq2SWG+3VtSvssU3SCAZx6MFzvo4QJFqGqul30bSU5RYly9
HVY8KieFHoG0wZ2T4wq+ZtpxmdYwh5yW3rf4hqnjenduG1Vy
WAW/V0TlxmM3jL1zF3i06ZGg+dp/GYfFBauhM2Wc+f46VEBd
yrcWvmOToLLcM7ot4B9jcUvLXkCGGtJcjzPWEsk+ZqW39LxI
bXudw61P8O+2B+EIdOk1jYR+JN+DVv9STgWweryTKrrobn6f
04rH1hAKeebZ )
lightside.com record type SIG, interpreted as:
?. 1H IN SIG KEY 3 3600 \#( ; RR format
error
37 e9 2a 20 37 c0 4b a0 87 c6 03 63 6f 6d 00 02 ; 7.* 7.K....com..
49 32 63 dd b2 07 65 31 67 40 e8 5d af 3c d2 13 ; I2c...e1g at .].<..
36 44 8c 8b 13 a7 e3 e5 84 9b 51 a5 90 ed aa 6a ; 6D........Q....j
f7 b2 f1 1f 79 9c 4c 5c ) ; ....y.L\
>
I'm not ashamed to admit that I don't have a _clue_ as to what this means or
why this goes wrong. Like, what does the question mark mean?
This is the signed zone file from machine b for lightside.com:
; Generated by dns_signer dated April 8, 1999
$ORIGIN lightside.com.
lightside.com. 86400 IN SOA ns.sith.com. root.ns.sith.com. (
19980907 ; serial
8H ; refresh
4H ; retry
5w6d16h ; expiry
1D ) ; minimum
86400 IN SIG SOA 3 86400 19990922195746 19990822195746
61875 lightside.com. (
AjrKm0SlCt5p/mhTx5RGRgonPfaRDpBwxIsAPZJmmxhmkacX
ciTSBpg= )
lightside.com. 3600 IN KEY 0x4101 3 3 (
At9YZu89gbCReUbjqHx7EsCwtQRlw72ItNHfflIXryMyfvz9
ZZvdTArHzAEj6b3vQFpTswV4E+CABkr3kGY3d8w1jZLFzWRV
9Vq2SWG+3VtSvssU3SCAZx6MFzvo4QJFqGqul30bSU5RYly9
HVY8KieFHoG0wZ2T4wq+ZtpxmdYwh5yW3rf4hqnjenduG1Vy
WAW/V0TlxmM3jL1zF3i06ZGg+dp/GYfFBauhM2Wc+f46VEBd
yrcWvmOToLLcM7ot4B9jcUvLXkCGGtJcjzPWEsk+ZqW39LxI
bXudw61P8O+2B+EIdOk1jYR+JN+DVv9STgWweryTKrrobn6f
04rH1hAKeebZ )
3600 IN SIG KEY 3 3600 19990922142739 19990822142739
34758 com. (
AqpDFOt/FSenF8gjGhsav44ZeP80FmemCXd4ZWVLWoVwjAqe
P3e3I4E= )
lightside.com. 86400 IN NS ns.sith.com.
86400 IN SIG NS 3 86400 19990922195746 19990822195746
61875 lightside.com. (
Ansfeofp6xj+GQUMVDKC4z/pUd3VleBNM44s6RQS+jfVpQiL
6isHdPA= )
lightside.com. 86400 IN NXT jarjar.lightside.com. NS SOA SIG KEY NXT
86400 IN SIG NXT 3 86400 19990922195746 19990822195746
61875 lightside.com. (
ApMG4SYnxCNMBKaUx/wp7Y6AsImyffwvRYwWgiCbr/GXv7ix
V+LxqLE= )
jarjar 86400 IN A 192.168.1.4
86400 IN SIG A 3 86400 19990922195746 19990822195746
61875 lightside.com. (
AlV+8OyLhkQBY73KUuopgcdK9SJrALL260r+dzhUDmlMTAn5
bV5uJPY= )
jarjar 86400 IN NXT padme.lightside.com. A SIG NXT
86400 IN SIG NXT 3 86400 19990922195746 19990822195746
61875 lightside.com. (
AojDbG4j31RhLApXXQ7nXgHqW5SBq6SU7nzfd7UdSUyDNMJ8
UuTC4rc= )
padme 86400 IN A 192.168.1.3
86400 IN SIG A 3 86400 19990922195746 19990822195746
61875 lightside.com. (
Arg+CbNv6S6NskkVkCDj/VlwCU4+JdMCmwi7M3fgR2eKSu7X
5JFdnzs= )
padme 86400 IN NXT lightside.com. A SIG NXT
86400 IN SIG NXT 3 86400 19990922195746 19990822195746
61875 lightside.com. (
AiAu0HTDO3lrGqFimMXofSWk8gVdbGfajaKOoCOPDRS8WYuA
vhkzdMY= )
Sometimes the same thing just happens as I play around with nslookup for a
while (just query for different records). It almost seems like this has
something to do with caching. Sometimes I get the 'crypto-validated'
response, other times I just get an error message like the one above.
Any help is immensely appreciated at this point.
Thanks,
Marcel
--
"Better safe than assimilated"
Chakotay
More information about the bind-users
mailing list