DNSSEC and NSEC missing ZSK?

@lbutlr kremels at kreme.com
Mon Feb 8 18:10:19 UTC 2021 


> On 08 Feb 2021, at 07:24, Matthijs Mekking <matthijs at isc.org> wrote:
> 
> Hi,
> 
> On 08-02-2021 12:20, @lbutlr wrote:
>> I feel I am getting close. I got the digest generated for hover.com and updated the DNS on the test zone, but I am getting errors on verify that I don't understand.
>> #v+
>> # dnssec-verify -I text -o example.com /etc/namedb/working/example.com.signed
>> Loading zone 'example.com' from file '/etc/namedb/working/example.com.signed'
>> Verifying the zone using the following algorithms:
>> - ECDSAP256SHA256
>> Missing ZSK for algorithm ECDSAP256SHA256
>> Missing NSEC record for blog.example.com
>> Missing NSEC record for wiki.example.com
>> Missing NSEC record for foobar.example.com
>> Missing NSEC record for barfoo.example.com
>> The zone is not fully signed for the following algorithms:
>>  vECDSAP256SHA256
>> .
>> DNSSEC completeness test failed.NSSEC completeness test failed.
>> #v-
>> The missing ZSK is throwing me, and I don't know what to add to my zone record for NSEC. I am following along (trying) with https://bind9.readthedocs.io/en/latest/dnssec-guide.html which makes no mention of this, but shows NSEC showing up in the output of the signed file.
> 
> Use dnssec-verify -z to indicate that the ZSK may be the same key as the KSK.

Thanks, so that is sorted.

> The missing NSEC records are more worrisome.

Oddly, some of the NSEC entries are in the signed zone file (well, I assume that is what this means):

NSEC    blog.example.com. A NS SOA MX TXT RRSIG NSEC DNSKEY CDS CDNSKEY TYPE65534
RRSIG   NSEC 13 2 3600
NSEC    wiki.example.com. CNAME RRSIG NSEC
RRSIG   NSEC 13 3 3600 (

)all the subdomains are CNAME

And some other occurrences of NSEC, but not the home and foobar or barfoo.

>> #v-
>> Is there a way to force rndc/bind to recreate the .signed file? If I move it aside and restart named or rndc reload or rndc reconfig, the signed zone file is not recreated.
> 
> 
> rndc sign zone

That recreates the .signed.jnl and not the .signed file. No errors are reported.


-- 
How you have felt, o men of Athens, at hearing the speeches of my
	accusers, I cannot tell; but I know that their persuasive words
	almost made me forget who I was, such was the effect of the,; and
	yet they have hardly spoken a word of truth.

More information about the bind-users mailing list