DNSSEC auto-dnssec issue bind-9.7.2-P3

Kalman Feher kalman.feher at melbourneit.com.au
Wed Jan 19 13:24:03 UTC 2011 

Try without +short ;)
I also have the habit of using that and can get caught out. Remember that
+short only includes the answer, which is not the RRSIG you are hoping to
see.




On 19/01/11 12:49 PM, "Zbigniew Jasiński" <szopen at nask.pl> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> W dniu 2011-01-17 15:39, Kalman Feher pisze:
>> Have you tried more sane times?
>> 
>> Those don't look like sensible times even for a test, which is probably why
>> BIND isn't signing. I think you are below the sensitivity level for BIND to
>> sign automatically.
>> 
>> If you want to test, try using hours or days as values. When initially
>> testing I used lifetimes of a week, then increased to 1 month for ZSKs and 3
>> months for KSKs. That allowed me to test things quickly, but without
>> compromising the validity of the test.
>> 
> 
> maybe it was little to short for keys, but ok, new keys with new timings:
> 
> ; Created: 20110119091030 (Wed Jan 19 10:10:30 2011)
> ; Publish: 20110119091124 (Wed Jan 19 10:11:24 2011)
> ; Activate: 20110119091224 (Wed Jan 19 10:12:24 2011)
> ; Inactive: 20110218091224 (Fri Feb 18 10:12:24 2011)
> ; Delete: 20110218091724 (Fri Feb 18 10:17:24 2011)
> 
> and what I've seen in logs:
> 
> NSEC3PARAM via dynamic update, and 'rndc sign' command:
> 
> Jan 19 10:10:24 named[32664]: update: client 127.0.0.1#65349: updating
> zone 'example/IN': adding an RR at 'example' NSEC3PARAM
> Jan 19 10:10:24 named[32664]: general: zone example/IN:
> dns_zone_addnsec3chain(hash=1, iterations=12, salt=1BDF09CE56C674D422EB)
> Jan 19 10:10:24 named[32664]: general: zone example/IN:
> zone_addnsec3chain(1,CREATE,12,1BDF09CE56C674D422EB)
> Jan 19 10:10:30 named[32664]: general: received control channel command
> 'sign example'
> Jan 19 10:10:30 named[32664]: general: zone example/IN: reconfiguring
> zone keys
> Jan 19 10:10:30 named[32664]: general: zone example/IN:
> zone_addnsec3chain(1,REMOVE|NONSEC,12,1BDF09CE56C674D422EB)
> Jan 19 10:10:30 named[32664]: general: zone example/IN: next key event:
> 19-Jan-2011 10:11:24.765
> 
> first key event is Publish:
> 
> Jan 19 10:11:24 named[32664]: general: zone example/IN: reconfiguring
> zone keys
> Jan 19 10:11:24 named[32664]: general: zone example/IN: next key event:
> 19-Jan-2011 11:11:24.807
> 
> second one is Activate which should occur on (Wed Jan 19 10:12:24 2011),
> but in log is one hour later, why is that?
> 
> but ok, signing zone is most important, so after Activate key event:
> 
> Jan 19 11:11:24 named[32664]: general: zone example/IN: reconfiguring
> zone keys
> Jan 19 11:11:25 named[32664]: general: zone example/IN: next key event:
> 18-Feb-2011 10:12:24.274
> 
> so now I should have a signed zone with KSK/ZSK of one month lifetime.
> using dig:
> 
> $ dig @127.0.0.1 example dnskey +dnssec +short
> 257 3 10 AwEAAa7r9QSelP34TYFVWWLhDVU+RU+LI7Fr9N0Hy2xnJ/8TK8sRo+OC
> <CUT>
> 256 3 10 AwEAAa/sFWJDcylO33IQWnpKEve661t0S/K8+AWPy+PSq69xo27WUGRN
> <CUT>
> 
> so I have both keys in my zone, but without signatures.
> 
> I've checked the journal file and there are updates with RRSIG records
> but still named is returning answers without signatures.
> 
> Any hint?
> 
> - -- 
> regards
> 
> zbigniew jasinski
> [SYStem OPerator]
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iQIcBAEBAgAGBQJNNs+3AAoJEH26UYiRhe/gfRsP/3m2zDBhKPpICiUroC+CUgpw
> OKlwGRcwWZFrmea4j7J/zUdS6OPpwh8lsHCftUS17WPhr654guAF7ftf/y8m6dLb
> 2aYOU1boYv4uDrlu74/bvyt1FngA8LMzNIO2lIP/x53QBqMMuPRTMsC4SpMi4VVc
> G04jeVjE7R6RG1kDZspEaaRtbxtQpJobW2seKP90U99FMhwAgqyDFwYdx1zF0vAt
> kcDmN+fwGOJUQO1CO8/2jX6AgpMXDGOoG75qCVHB5QzXysW47rzLuewvVB9h/2lU
> WNDtmCUIZ50JtfyuOKrz8U6hdbfvRI4iJFdweckniCJ85gyx7fHMP3sgZModRKgW
> PdxLjHQ3xOqsBmfGlAaeYSrAx7hryNaUqLE1xGDLkCaX7dywz5sH4kElqpRwGOvf
> CvLBJ8df7qGLgX+B5VuAXOzGZxOCOhwBuMiSYwY8F/12tBhzW8nhaRGBuBBj6cAp
> 7AkFFa/DsqVvCo+sYWt1+ekAt2LQWnE+cDaV2Ar84lG/fMYtvHDfNhdqLa1P6N7S
> PG9rdfkv+jh5zlczIoNFVRVhVoPEs2ui28PVw8ArvOnUeeJrl60fdputvcXThUY/
> uea6/mDrRCLSUYpV9oyMxDdtR3pz0buD80Gk20HBgI/BHopD6H77DNpDAvy+Q3fF
> wgluCpVvogYlj88l1uXZ
> =jGrN
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Kal Feher

More information about the bind-users mailing list