DNSSEC auto-dnssec issue bind-9.7.2-P3
Kalman Feher
kalman.feher at melbourneit.com.au
Mon Jan 24 13:34:28 UTC 2011
On 24/01/11 10:53 AM, "Zbigniew Jasiński" <szopen at nask.pl> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> W dniu 2011-01-21 15:17, Kalman Feher pisze:
>>> Perhaps we are getting close to the problem then.
>>> Can you show the content of the key files? Specifically the metadata which
>>> the "maintain" option wants.
>>
>>> Since "allow" works I'm assuming that key file permissions (and directory
>>> permissions) are ok, but it couldn't hurt to check them.
>
> I've made new instalation without SoftHSM support to be sure that this
> is not an issue, and of course 'allow' works and 'maintain' the same odd
> things.
>
> permissions are ok, double-checked, and with 'allow' it works.
>
> key metadata, same for ZSK and KSK:
>
> ; Created: 20110121145849 (Fri Jan 21 15:58:49 2011)
> ; Publish: 20110121145937 (Fri Jan 21 15:59:37 2011)
> ; Activate: 20110121170117 (Fri Jan 21 18:01:17 2011)
> ; Inactive: 20110121220937 (Fri Jan 21 23:09:37 2011)
> ; Delete: 20110122001117 (Sat Jan 22 01:11:17 2011)
>
> and of course I'm waiting until Activate key event to be sure I will get
> RRSIG in response but there's now signatures.
>
> strange thing, that after signing zone with 'maintain' and after named
> dumps zone into plain file, file differs from this dumped with 'allow'
> option, much. for example don't have NSEC3PARAM in file from 'maintain'
> and DS record (authoritative) doesn't have even it's signature!
I assume you did add the nsec3param record via nsupdate after adding the
zone? I note that there is an NSEC entry there, which is not right.
>
> zone with 'maintain' option:
>
> $ORIGIN .
> $TTL 3600 ; 1 hour
> example IN SOA ns1.example. bugs.x.w.example. (
> 1292481918 ; serial
> 7200 ; refresh (2 hours)
> 3600 ; retry (1 hour)
> 734400 ; expire (1 week 1 day 12 hours)
> 600 ; minimum (10 minutes)
> )
> RRSIG SOA 10 1 3600 20110223093216 (
> 20110124083216 41870 example.
> SbFalU9K5yroRNtENT7nQHovxOXhl8ROOi90D77qFEXc
> <CUT>
> NS ns1.example.
> NS ns2.example.
> TXT "dnssec test"
> $TTL 600 ; 10 minutes
> NSEC a.example. NS SOA TXT RRSIG NSEC DNSKEY
> TYPE65534
> $TTL 3600 ; 1 hour
> DNSKEY 256 3 10 (
> AwEAAdByffBxPaxGFxfnf10TKUIwUKvq79vfMJ9wGW6s
> <CUT> ) ; key id = 41870
> DNSKEY 257 3 10 (
> AwEAAdFituIkCms1lVbht+ykmwRUoBQJjHW9qep2GS1O
> <CUT> ) ; key id = 996
> RRSIG DNSKEY 10 1 3600 20110223093216 (
> 20110124083216 996 example.
> LXfYVMI7BuQEEvYKpiadeboBHlv1RYv1vaaUoZLwnhC6
> RRSIG DNSKEY 10 1 3600 20110223093216 (
> 20110124083216 41870 example.
> $TTL 0 ; 0 seconds
> TYPE65534 \# 5 ( 0A03E40001 )
> TYPE65534 \# 5 ( 0AA38E0001 )
> $ORIGIN example.
> $TTL 3600 ; 1 hour
> a NS ns1.a
> NS ns2.a
> DS 23344 5 1 (
> CECDDBFFD6A0C01F8D7E96C4BE31CB577433DD56 )
> $ORIGIN a.example.
> ns1 A 127.0.0.1
> ns2 A 127.0.0.1
> $ORIGIN example.
> ai A 127.0.0.1
> AAAA ::1
> c NS ns1.c
> NS ns2.c
> $ORIGIN c.example.
> ns1 A 127.0.0.5
> ns2 A 127.0.0.6
> $ORIGIN example.
> ns1 A 127.0.0.3
> ns2 A 127.0.0.4
> w A 127.0.0.1
> $ORIGIN w.example.
> * MX 10 ai.example.
> x MX 10 xx.example.
> x.y MX 10 xx.example.
> $ORIGIN example.
> xx A 127.0.0.1
> AAAA ::1
> - --
I cut and paste the zone (except for DS) and loaded it, added nsec3param,
then signed and it went perfectly.
I then added an a.example zone and did the same thing.
I took the resulting dsset and added it into example using nsupdate and it
was signed within moments.
Are you following this same workflow?
FWIW I use a script to add all my test zones from a zone template file. That
script automatically adds the nsec3param as soon as the zone is loaded, but
before it signs. That way I keep things simple and never forget to update
that zone before signing.
> regards
>
> zbigniew jasinski
> [SYStem OPerator]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQIcBAEBAgAGBQJNPUwaAAoJEH26UYiRhe/gwDoP/ikpiRA/aLKoufjvUUs3+8OD
> BKzDUMUoHVQZ5kL+jiS0PA1gabTTL6iCyA7w+Rw6mwFsSM/SWqtjDE2EeKb27wYN
> osrRvPk6Cszq5W4hOD3PCZe93hcL/MZ8IQxF4qCW3v7XHpHQ7wXyttDC2KkIRcRI
> VNLaJDjD8MQsK1qAsPL86WXdZCousejUbPPNIc2mYyz/5fhOvCRFZ1ALW8ljuhqd
> hqM9gbv35d6nXg10yfdkp1nEOz7D25yU6KXhoeX4IOH4+qWvvs3e/zl7EY/BQ66k
> 4fco8fzkLik3hzAwyqbuBfiEH8/u7LjC8tcrMz3TuTsOdMkolgRVDorLsvKCz1WL
> eTp+9qe8PNrT5vCXsY7jz5ODgfiiKA9QbtSmAvvVVMnz5h1gBMZUyhLubA/ZCuhI
> A0UUSltbQo7yyZgfy8UW+3rV2mdyHJJ7wTGMbW0B0uzS59Uks/XIQ5kDDBAo/1fh
> fPJGPpbN5Ak93B2s/kMdYoCcFNRhLb8TtUGZduL4oZtPbX7stmP/+Nq2ghwyeM4f
> VlheVVE7GTAUOpkFhu/QxBnO2KIO6RbsTNfoI2vJNrZkmKgffbE4AacgBpktjp5X
> 7oB7mJifkzT7xSbbcf0AOgyBLuMrrkaa4tK0arzfDtF+0jVn5kYlY4LvEJ+KjXEs
> 5xmtXTE7LO5pRcx2hD2v
> =l1J9
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Kal Feher
More information about the bind-users
mailing list