inline dnssec signing fails
Mark Andrews
marka at isc.org
Wed Dec 9 00:47:23 UTC 2015
In message <2034056650.403611.1449620698296.JavaMail.yahoo at mail.yahoo.com>, Brad
S writes:
> I am pretty sure the ultimate error is this:
>
> [\u at r2d2:/home/ex-mailer-domains/nyctelecomm.com] # dig nyctelecomm.com +d
> nssec @8.8.8.8
>
> ; <<>> DiG 9.10.3 <<>> nyctelecomm.com +dnssec @8.8.8.8
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16509
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 512
> ;; QUESTION SECTION:
> ;nyctelecomm.com. IN A
>
> ;; Query time: 187 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Tue Dec 08 19:17:22 UTC 2015
> ;; MSG SIZE rcvd: 44
>
>
> I can query the server (both master and slave)
>
> [\u at r2d2:/home/ex-mailer-domains/nyctelecomm.com] # dig nyctelecomm.com @1
> 08.61.190.64 +dnssec +multi
>
> ; <<>> DiG 9.10.3 <<>> nyctelecomm.com @108.61.190.64 +dnssec +multi
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50374
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 9
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;nyctelecomm.com. IN A
>
> ;; ANSWER SECTION:
> nyctelecomm.com. 86400 IN A 108.61.175.20
> nyctelecomm.com. 86400 IN RRSIG A 8 2 86400 (
> 20160107130220 20151208123524 65103 nyctel
> ecomm.com.
> DLxITL2qKeDpiN/2Zxb/vzllFV1ZaDmzyYObKTMeiF
> S/
> JFCSKIWQlvdz3uGQwjmZaNUAW59NTqfPPLDr3d94h1
> /L
> KfY2PAd0rN74HSyApOiU0VaoU7sFCbIJzavyNmKeYO
> w0
> yS1SUvsOWOPFj6qZx0uUzWOeD0thsH4GgbHjKKYKB5
> cR
> djGmxzpxWgV7GdVKrn1G/Uhf/oDDavAVQa8BylfGSG
> O/
> djcjjVgf/bJ3NRgcFnZUL7LLioRRlZ+pGsa43tKmIR
> FC
> QgmV0DS3mLqZXAi7MpK01pFsfKg8lsF88jgVGxuR6T
> AD
> VKCgr9lVftyF/hdKwGP1RERnO+fGRfpQyw== )
>
> ;; AUTHORITY SECTION:
> nyctelecomm.com. 86400 IN NS r2d2.ex-mailer.com.
> nyctelecomm.com. 86400 IN NS yoda.ex-mailer.com.
> nyctelecomm.com. 86400 IN RRSIG NS 8 2 86400 (
> 20160107130220 20151208123524 65103 nyctel
> ecomm.com.
> ryHGOpEncjwVPHc+zs2HrESijbBLH/rrmOYkpmoRSK
> pO
> yJTzAMN2u8cKTfJfBvFQ/Pk79kJ2vsu6c3dvWTXCB1
> sD
> jQFuhQTbT4XlYFbzx/2tyxvWOlYRBetmwRV8TcrwH7
> TT
> VlBX4fMoNA/mVmU9W/fzY5rKLH/X5RhWL1zOD+yF4C
> Sk
> sTrFcTXDppENdTfzbyoSSpaDmliQYDmQ5cPaXsVa4R
> Fb
> fwDdmohS1IhQe9mw5GnciEE8x1ayxNf3043ysoo9a+
> ST
> 4egpc3XfqwE1w8xTJYjZYXFTPBDqQnWLmLDFfluat5
> Wo
> JwLBzB2qRoxHQmaP05BHuKFPwLDXoPx77Q== )
>
> ;; ADDITIONAL SECTION:
> r2d2.ex-mailer.com. 86400 IN A 107.191.60.48
> r2d2.ex-mailer.com. 86400 IN AAAA 2001:19f0:7000:8945::64
> yoda.ex-mailer.com. 86400 IN A 108.61.190.64
> yoda.ex-mailer.com. 86400 IN AAAA 2001:19f0:6c00:8141::64
> r2d2.ex-mailer.com. 86400 IN RRSIG A 8 3 86400 (
> 20170604020000 20150604233623 9381 ex-mail
> er.com.
> Ea+o29rgxJRTo0pZlNHIL6vPMCgQvgt+tcJJf3VvH7
> BK
> U4gNjOfEJB4uvy+3PYB9OX0KQ5gngbWzdAAXdiSvea
> oo
> XJ+REc07V7aHjlqLn4SuBBAzfEhFVUGjrLT3wXTVp0
> bK
> kAkooksctvB2tWnlnkrXM8i5PES8tPXT2By50DN57L
> TE
> V3l0mSlBb4ibWn8SfFDsELVYzTE3SwMsiMfA0DaJj8
> th
> 6v0qmQp1LzE1yyMm6Bu7OrgMRCAG8wOLqGg8jOw+BN
> q7
> 4gvmnUm8mjh2iaUg2etc2h2oi6RqOdHVDTYYD+VzxJ
> Yv
> H3FDvnSbEgSqcBIB8GTTgQ/MRLLpzf0MuA== )
> r2d2.ex-mailer.com. 86400 IN RRSIG AAAA 8 3 86400 (
> 20170604020000 20150604233623 9381 ex-mail
> er.com.
> YHSyU0k2yNl9dJ551Kl1YnDpwqqcDSdeiPoA1ZNbcJ
> 2u
> QcuXlAugTsyII0HLxVi+oRXarhPLE11Mr4WiFh5EVu
> GA
> gLJDMgQoZx8wSTaWKE8l5norrel61prlgiI13dM2fr
> zB
> opQnHhxQl6EINIfek/j9DGOMOfQRiJFpqPnW/W+w+T
> xQ
> +KXycIDPMGJ6s+PD0JzG8L8mBwpWkbCxKDDckpWDJY
> y4
> tH9rHwiXcpvHix7vI3SB55wn9/LFs8bZ3S10AbxS0O
> 0G
> W6tDFAOQ5f0mRvWxbVAjXaMV17l6T9vlFEGY8UoBqt
> qO
> +NvXV/X4G2Umw+i8QVW+TYP0ILqgqCSDNg== )
> yoda.ex-mailer.com. 86400 IN RRSIG A 8 3 86400 (
> 20170604020000 20150604233623 9381 ex-mail
> er.com.
> Rb2VgE/mrZnlALugk11vWPHBkOd0qk/TN2q7Qypap4
> 9L
> SR50HzZWm1KE40/emOaGABCjMyz7HLD3XaUieNjIYZ
> I9
> 0Fpg05CpqVNN1AetdRWNRZWXqCykAz1RlcXGjPIQzW
> HT
> Rv8lEmyQhQSEiq7G9fKG23bHL9NV1oveBm21CHDVSi
> 4e
> lUVxhvuM3oQGH6WtBrK5EmVPz4KH7a3Cmp0OctJoVw
> 3M
> JWZoeqJ4BmrYhm7ZRg0zm9lZwC/6YoYXBVWOg44T8m
> rK
> iAioNhIaLYVcSXocod12YeoEgIhEQ4Ett+gY0ryXkY
> 1P
> 0Ew4b7Xwu5DLHPysa0bojVyIBIcBRahm9A== )
> yoda.ex-mailer.com. 86400 IN RRSIG AAAA 8 3 86400 (
> 20170604020000 20150604233623 9381 ex-mail
> er.com.
> iyooXElsu4ATuoSvgp2JmaLnTPvXQ7s2KcwmZBmvLQ
> L/
> Y3gCmdm1vpyNm2Dy7qSKMZWMowaB9ZITxPDRlPE7tA
> Ed
> UvgqmgpnOTSTiQC8fkvi29LZ/tlpHBW5ptwttR6HIQ
> H4
> cOCawqtCCcHt2a8I6z7dbokCzcKpexWoIvmsL4tkE9
> Kf
> s07+z9YXwWzyph/X6hUYOH3ycZpztHFwvZNi12eTmR
> /m
> GiVfbn+ny7a7uNzdnTvu00CqBniKvprLheot2nqjMj
> 8/
> 0MRbZXKaS5NTHrgMQeFBgaG8OqUB8MZ89+MEy5FCQ4
> hf
> 6+pDyUoe2KeU2PwVolYip0bjSoZyk9Sv2g== )
>
> ;; Query time: 269 msec
> ;; SERVER: 108.61.190.64#53(108.61.190.64)
> ;; WHEN: Tue Dec 08 19:17:14 UTC 2015
> ;; MSG SIZE rcvd: 2006
>
>
> But no response from the google dns.
>
> I create and load the keys via
>
> [\u at yoda:/home/ex-mailer-domains/nyctelecomm.com] # dnssec-keygen -a RSASH
> A256 -b 2048 -3 nyctelecomm.com
> Generating key pair...........+++ ....+++
> Knyctelecomm.com.+008+65103
> [\u at yoda:/home/ex-mailer-domains/nyctelecomm.com] # dnssec-keygen -a RSASH
> A256 -b 2048 -3 -fk nyctelecomm.com
> Generating key pair...........+++ ......+++
> Knyctelecomm.com.+008+57586
> [\u at yoda:/home/ex-mailer-domains/nyctelecomm.com] # ls
> 127.0.0.1
> 48.60.191.107.in-addr.arpa nyctelecomm.com.external
> Knyctelecomm.com.+008+57586.key nyctelecomm.com.external.
> signed
> Knyctelecomm.com.+008+57586.private bad3:50ef:ff00:0045:5498:
> 0007:0f91:1002.ip6.arpa nyctelecomm.com.external.signed.jbk
> Knyctelecomm.com.+008+65103.key bad3:50ef:ff:0045:5498:00
> 07:0f91:1002.ip6.arpa nyctelecomm.com.external.signed.signed
> Knyctelecomm.com.+008+65103.private default.private
> nyctelecomm.com.external.signed.signed.jnl
>
>
> [\u at r2d2:/usr/local/etc/namedb] # chown -R bind:bind /home/ex-mailer-domai
> ns/nyctelecomm.com/
> [\u at r2d2:/usr/local/etc/namedb] # rndc reconfig
> [\u at r2d2:/usr/local/etc/namedb] # rndc loadkeys nyctelecomm.com
> [\u at r2d2:/usr/local/etc/namedb] # rndc signing -nsec3param 1 0 10 03F92714
> nyctelecomm.com.
>
>
> and then recover the DS via
>
> [\u at r2d2:/home/ex-mailer-domains/nyctelecomm.com] # dig @127.0.0.1 dnskey
> nyctelecomm.com | dnssec-dsfromkey -f - nyctelecomm.com
> nyctelecomm.com. IN DS 57586 8 1 0F60CA666664EF85451A548DD0F4DBF9637F2375
> nyctelecomm.com. IN DS 57586 8 2 9DB66485013AF3C158111D8EF74C6666667FB6E38
> E8E7D0495B9B705DF8AECDB
>
> and upload it to my registrar.
Well it hasn't been published (see below for what is currently published).
Try again.
[rock:~/git/bind9] marka% dig ds nyctelecomm.com
;; BADCOOKIE, retrying.
; <<>> DiG 9.11.0pre-alpha <<>> ds nyctelecomm.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39372
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: b63eccff8fb9ae15b3c9befb566777fd3189384e38380752 (good)
;; QUESTION SECTION:
;nyctelecomm.com. IN DS
;; ANSWER SECTION:
nyctelecomm.com. 86389 IN DS 52581 8 2 A21CD045DF013EF2103ABC6ACCADAD62ED59B7A863B6BA181A24CFD8 EE8A6910
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 09 11:38:21 EST 2015
;; MSG SIZE rcvd: 120
[rock:~/git/bind9]
> but dnzviz.net say my key is incorrect.
>
> my named.conf options
>
> options {
> directory "/usr/local/etc/namedb/working/";
> pid-file "/var/run/named/named.pid";
> dump-file "/var/log/named/cache_dump.db";
> statistics-file "/var/log/named/named_stats.txt";
> memstatistics-file "/var/log/named/named_mem_stats.txt";
> bindkeys-file "/home/ex-mailer-domains/named.iscdlv.key";
> managed-keys-directory "/home/ex-mailer-domains/";
> dnssec-enable yes;
> dnssec-validation auto;
> dnssec-lookaside auto;
> listen-on-v6 { ::1; 2001:19f0:6c00:8141:5400:ff:fe05:5309;};
> listen-on { 127.0.0.1; 108.61.190.64;};
> max-cache-ttl 1600;
> version none;
> auth-nxdomain no; # conform to RFC1035
> allow-recursion-on { trusted; };
> allow-recursion{ tusted; };
> allow-query-cache-on{ trusted; };
> allow-query-on{ any; };
> allow-update-forwarding{ trusted; };
>
> allow-new-zones yes;
> allow-query {
> any;
> };
> allow-transfer {
> trusted;
> };
> //forward first;
> forwarders {
> 108.61.10.10;
> 108.61.190.64;
> 107.191.60.48;
> };
> };
>
> my named.conf zone
>
> zone "nyctelecomm.com" {
> type master;
> allow-transfer {107.191.60.48;};
> also-notify {107.191.60.48;};
> key-directory "/home/ex-mailer-domains/nyctelecomm.com/";
> #file "/usr/local/etc/namedb/nyctelecomm.com.external";
> file "/home/ex-mailer-domains/nyctelecomm.com/nyctelecomm.com.exte
> rnal.signed";
> update-policy {
> grant ddns-key zonesub ANY;
> };
> auto-dnssec maintain;
> inline-signing yes;
> };
>
>
> I have no errors or warning in my logs.
> ------=_Part_403610_2064507723.1449620698292
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: 7bit
>
> <html><head></head><body><div style="color:#000; background-color:#fff; font-f
> amily:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-ser
> if;font-size:16px"><pre class="" id="yui_3_16_0_1_1449620576139_3327">I am pre
> tty sure the ultimate error is this:
>
> [\u at r2d2:/home/ex-mailer-domains/nyctelecomm.com] # dig nyctelecomm.com +d
> nssec @8.8.8.8
>
> ; <<>> DiG 9.10.3 <<>> nyctelecomm.com +dnssec @8.
> 8.8.8
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16509
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 512
> ;; QUESTION SECTION:
> ;nyctelecomm.com. IN A
>
> ;; Query time: 187 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Tue Dec 08 19:17:22 UTC 2015
> ;; MSG SIZE rcvd: 44
>
>
> I can query the server (both master and slave)
>
> [\u at r2d2:/home/ex-mailer-domains/nyctelecomm.com] # dig nyctelecomm.com @1
> 08.61.190.64 +dnssec +multi
>
> ; <<>> DiG 9.10.3 <<>> nyctelecomm.com @108.61.190
> .64 +dnssec +multi
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50374
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 9
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;nyctelecomm.com. IN A
>
> ;; ANSWER SECTION:
> nyctelecomm.com. 86400 IN A 108.61.175.20
> nyctelecomm.com. 86400 IN RRSIG A 8 2 86400 (
> 20160107130220 20151208123524 65103 nyctel
> ecomm.com.
> DLxITL2qKeDpiN/2Zxb/vzllFV1ZaDmzyYObKTMeiF
> S/
> JFCSKIWQlvdz3uGQwjmZaNUAW59NTqfPPLDr3d94h1
> /L
> KfY2PAd0rN74HSyApOiU0VaoU7sFCbIJzavyNmKeYO
> w0
> yS1SUvsOWOPFj6qZx0uUzWOeD0thsH4GgbHjKKYKB5
> cR
> djGmxzpxWgV7GdVKrn1G/Uhf/oDDavAVQa8BylfGSG
> O/
> djcjjVgf/bJ3NRgcFnZUL7LLioRRlZ+pGsa43tKmIR
> FC
> QgmV0DS3mLqZXAi7MpK01pFsfKg8lsF88jgVGxuR6T
> AD
> VKCgr9lVftyF/hdKwGP1RERnO+fGRfpQyw== )
>
> ;; AUTHORITY SECTION:
> nyctelecomm.com. 86400 IN NS r2d2.ex-mailer.com.
> nyctelecomm.com. 86400 IN NS yoda.ex-mailer.com.
> nyctelecomm.com. 86400 IN RRSIG NS 8 2 86400 (
> 20160107130220 20151208123524 65103 nyctel
> ecomm.com.
> ryHGOpEncjwVPHc+zs2HrESijbBLH/rrmOYkpmoRSK
> pO
> yJTzAMN2u8cKTfJfBvFQ/Pk79kJ2vsu6c3dvWTXCB1
> sD
> jQFuhQTbT4XlYFbzx/2tyxvWOlYRBetmwRV8TcrwH7
> TT
> VlBX4fMoNA/mVmU9W/fzY5rKLH/X5RhWL1zOD+yF4C
> Sk
> sTrFcTXDppENdTfzbyoSSpaDmliQYDmQ5cPaXsVa4R
> Fb
> fwDdmohS1IhQe9mw5GnciEE8x1ayxNf3043ysoo9a+
> ST
> 4egpc3XfqwE1w8xTJYjZYXFTPBDqQnWLmLDFfluat5
> Wo
> JwLBzB2qRoxHQmaP05BHuKFPwLDXoPx77Q== )
>
> ;; ADDITIONAL SECTION:
> r2d2.ex-mailer.com. 86400 IN A 107.191.60.48
> r2d2.ex-mailer.com. 86400 IN AAAA 2001:19f0:7000:8945::64
> yoda.ex-mailer.com. 86400 IN A 108.61.190.64
> yoda.ex-mailer.com. 86400 IN AAAA 2001:19f0:6c00:8141::64
> r2d2.ex-mailer.com. 86400 IN RRSIG A 8 3 86400 (
> 20170604020000 20150604233623 9381 ex-mail
> er.com.
> Ea+o29rgxJRTo0pZlNHIL6vPMCgQvgt+tcJJf3VvH7
> BK
> U4gNjOfEJB4uvy+3PYB9OX0KQ5gngbWzdAAXdiSvea
> oo
> XJ+REc07V7aHjlqLn4SuBBAzfEhFVUGjrLT3wXTVp0
> bK
> kAkooksctvB2tWnlnkrXM8i5PES8tPXT2By50DN57L
> TE
> V3l0mSlBb4ibWn8SfFDsELVYzTE3SwMsiMfA0DaJj8
> th
> 6v0qmQp1LzE1yyMm6Bu7OrgMRCAG8wOLqGg8jOw+BN
> q7
> 4gvmnUm8mjh2iaUg2etc2h2oi6RqOdHVDTYYD+VzxJ
> Yv
> H3FDvnSbEgSqcBIB8GTTgQ/MRLLpzf0MuA== )
> r2d2.ex-mailer.com. 86400 IN RRSIG AAAA 8 3 86400 (
> 20170604020000 20150604233623 9381 ex-mail
> er.com.
> YHSyU0k2yNl9dJ551Kl1YnDpwqqcDSdeiPoA1ZNbcJ
> 2u
> QcuXlAugTsyII0HLxVi+oRXarhPLE11Mr4WiFh5EVu
> GA
> gLJDMgQoZx8wSTaWKE8l5norrel61prlgiI13dM2fr
> zB
> opQnHhxQl6EINIfek/j9DGOMOfQRiJFpqPnW/W+w+T
> xQ
> +KXycIDPMGJ6s+PD0JzG8L8mBwpWkbCxKDDckpWDJY
> y4
> tH9rHwiXcpvHix7vI3SB55wn9/LFs8bZ3S10AbxS0O
> 0G
> W6tDFAOQ5f0mRvWxbVAjXaMV17l6T9vlFEGY8UoBqt
> qO
> +NvXV/X4G2Umw+i8QVW+TYP0ILqgqCSDNg== )
> yoda.ex-mailer.com. 86400 IN RRSIG A 8 3 86400 (
> 20170604020000 20150604233623 9381 ex-mail
> er.com.
> Rb2VgE/mrZnlALugk11vWPHBkOd0qk/TN2q7Qypap4
> 9L
> SR50HzZWm1KE40/emOaGABCjMyz7HLD3XaUieNjIYZ
> I9
> 0Fpg05CpqVNN1AetdRWNRZWXqCykAz1RlcXGjPIQzW
> HT
> Rv8lEmyQhQSEiq7G9fKG23bHL9NV1oveBm21CHDVSi
> 4e
> lUVxhvuM3oQGH6WtBrK5EmVPz4KH7a3Cmp0OctJoVw
> 3M
> JWZoeqJ4BmrYhm7ZRg0zm9lZwC/6YoYXBVWOg44T8m
> rK
> iAioNhIaLYVcSXocod12YeoEgIhEQ4Ett+gY0ryXkY
> 1P
> 0Ew4b7Xwu5DLHPysa0bojVyIBIcBRahm9A== )
> yoda.ex-mailer.com. 86400 IN RRSIG AAAA 8 3 86400 (
> 20170604020000 20150604233623 9381 ex-mail
> er.com.
> iyooXElsu4ATuoSvgp2JmaLnTPvXQ7s2KcwmZBmvLQ
> L/
> Y3gCmdm1vpyNm2Dy7qSKMZWMowaB9ZITxPDRlPE7tA
> Ed
> UvgqmgpnOTSTiQC8fkvi29LZ/tlpHBW5ptwttR6HIQ
> H4
> cOCawqtCCcHt2a8I6z7dbokCzcKpexWoIvmsL4tkE9
> Kf
> s07+z9YXwWzyph/X6hUYOH3ycZpztHFwvZNi12eTmR
> /m
> GiVfbn+ny7a7uNzdnTvu00CqBniKvprLheot2nqjMj
> 8/
> 0MRbZXKaS5NTHrgMQeFBgaG8OqUB8MZ89+MEy5FCQ4
> hf
> 6+pDyUoe2KeU2PwVolYip0bjSoZyk9Sv2g== )
>
> ;; Query time: 269 msec
> ;; SERVER: 108.61.190.64#53(108.61.190.64)
> ;; WHEN: Tue Dec 08 19:17:14 UTC 2015
> ;; MSG SIZE rcvd: 2006
>
>
> But no response from the google dns.
>
> I create and load the keys via
>
> [\u at yoda:/home/ex-mailer-domains/nyctelecomm.com] # dnssec-keygen -a RSASH
> A256 -b 2048 -3 nyctelecomm.com
> Generating key pair...........+++ ....+++
> Knyctelecomm.com.+008+65103
> [\u at yoda:/home/ex-mailer-domains/nyctelecomm.com] # dnssec-keygen -a RSASH
> A256 -b 2048 -3 -fk nyctelecomm.com
> Generating key pair...........+++ ......+++
> Knyctelecomm.com.+008+57586
> [\u at yoda:/home/ex-mailer-domains/nyctelecomm.com] # ls
> 127.0.0.1
> 48.60.191.107.in-addr.arpa nyctelecomm.com.external
> Knyctelecomm.com.+008+57586.key nyctelecomm.com.external.
> signed
> Knyctelecomm.com.+008+57586.private bad3:50ef:ff00:0045:5498:
> 0007:0f91:1002.ip6.arpa nyctelecomm.com.external.signed.jbk
> Knyctelecomm.com.+008+65103.key bad3:50ef:ff:0045:5498:00
> 07:0f91:1002.ip6.arpa nyctelecomm.com.external.signed.signed
> Knyctelecomm.com.+008+65103.private default.private
> nyctelecomm.com.external.signed.signed.jnl
>
>
> [\u at r2d2:/usr/local/etc/namedb] # chown -R bind:bind /home/ex-mailer-domai
> ns/nyctelecomm.com/
> [\u at r2d2:/usr/local/etc/namedb] # rndc reconfig
> [\u at r2d2:/usr/local/etc/namedb] # rndc loadkeys nyctelecomm.com
> [\u at r2d2:/usr/local/etc/namedb] # rndc signing -nsec3param 1 0 10 03F92714
> nyctelecomm.com.
>
>
> and then recover the DS via
>
> [\u at r2d2:/home/ex-mailer-domains/nyctelecomm.com] # dig @127.0.0.1 dnskey
> nyctelecomm.com | dnssec-dsfromkey -f - nyctelecomm.com
> nyctelecomm.com. IN DS 57586 8 1 0F60CA666664EF85451A548DD0F4DBF9637F2375
> nyctelecomm.com. IN DS 57586 8 2 9DB66485013AF3C158111D8EF74C6666667FB6E38
> E8E7D0495B9B705DF8AECDB
>
> and upload it to my registrar.
> but dnzviz.net say my key is incorrect.
>
> my named.conf options
>
> options {
> directory "/usr/local/etc/namedb/working/";
> pid-file "/var/run/named/named.pid";
> dump-file "/var/log/named/cache_dump.db";
> statistics-file "/var/log/named/named_stats.txt";
> memstatistics-file "/var/log/named/named_mem_stats.txt";
> bindkeys-file "/home/ex-mailer-domains/named.iscdlv.key";
> managed-keys-directory "/home/ex-mailer-domains/";
> dnssec-enable yes;
> dnssec-validation auto;
> dnssec-lookaside auto;
> listen-on-v6 { ::1; 2001:19f0:6c00:8141:5400:ff:fe05:5309;};
> listen-on { 127.0.0.1; 108.61.190.64;};
> max-cache-ttl 1600;
> version none;
> auth-nxdomain no; # conform to RFC1035
> allow-recursion-on { trusted; };
> allow-recursion{ tusted; };
> allow-query-cache-on{ trusted; };
> allow-query-on{ any; };
> allow-update-forwarding{ trusted; };
>
> allow-new-zones yes;
> allow-query {
> any;
> };
> allow-transfer {
> trusted;
> };
> //forward first;
> forwarders {
> 108.61.10.10;
> 108.61.190.64;
> 107.191.60.48;
> };
> };
>
> my named.conf zone
>
> zone "nyctelecomm.com" {
> type master;
> allow-transfer {107.191.60.48;};
> also-notify {107.191.60.48;};
> key-directory "/home/ex-mailer-domains/nyctelecomm.com/";
> #file "/usr/local/etc/namedb/nyctelecomm.com.external";
> file "/home/ex-mailer-domains/nyctelecomm.com/nyctelecomm.com.exte
> rnal.signed";
> update-policy {
> grant ddns-key zonesub ANY;
> };
> auto-dnssec maintain;
> inline-signing yes;
> };
>
>
> I have no errors or warning in my logs.</pre></div></body></html>
> ------=_Part_403610_2064507723.1449620698292--
>
> --===============8246328524058846544==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --===============8246328524058846544==--
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list