Unable to get authenticated negative responses from BIND 9.6.0 w/ NSEC3?
Johan Ihren
johani at johani.org
Mon Jan 12 23:54:56 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Mark,
On 12 Jan 2009, at 23:49, Mark Andrews wrote:
>> I realise this just has to be a user error, but sofar I've been
>> completely unsuccessful in getting an authenticated response from a
>> 9.6.0 recursive server with trusted keys correctly configured.
>>
>> I've done this:
>>
>> * Signed the zones:
>>
>> "parent" is signed with NSEC semantics, key algorithm is RSASHA1
>> "child1.parent" is signed with NSEC, key algorithm is RSASHA1
>> "child2.parent" is signed with NSEC3, key algorithm is NSEC3RSASHA1
>
> Did you tell dnssec-signzone to generate NSEC3 chains rather
> than NSEC chains. NSEC3RSASHA1 allows for both NSEC and
> NSEC3 chains and dnssec-signzone defaults to NSEC chains.
>
> dnssec-signzone -3 salt [-H iterations] [-A] ....
Absolutely, and the signed zone looks fine (except that it is full of
ugly NSEC3's ;-). This is my dnssec-signzone invocation:
dnssec-signzone -N increment -v 9 -a -A -H 1 -3 "" -o $ZONE $ZONE $ZSK
$KSK
>> * Created the secure delegations:
>>
>> the DS records for child1.parent and child2.parent both use the
>> correct algorithm numbers (5 and 7 respectively)
>>
>> * Configured a trusted key for "parent" in a recursive server:
>>
>> The trusted key is correctly configured, because I'm able to validate
>> positive responses from all three zones (which also proves that the
>> delegations are correctly secured via the DS records). I'm also able
>> to validate negative responses from "parent" and "child1.parent".
>>
>> And, yes, I have "dnssec-enable yes; dnssec-validation yes;" in
>> relevant places.
>>
>> But I fail to validate the interesting case, i.e. a negative response
>> from child2.parent containing NSEC3 records as the proof. I get the
>> response, with all the NSEC3s and their RRSIGs. But no AD bit.
>>
>> Anyone done this recently who can give me a suggestion to where I may
>> go wrong?
Johan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iD8DBQFJa9hRKJmr+nqSTbYRAuDKAJ4upG/n5lww2yrST29HDzteQX369QCfUqxt
WcZi55ArpM58re2gtd6reAI=
=+sNo
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list