DNSSEC auto-dnssec issue bind-9.7.2-P3

Zbigniew Jasiński szopen at nask.pl
Tue Jan 25 13:34:52 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

W dniu 2011-01-24 17:47, Kalman Feher pisze:
> This appears to be the problem.
> I copied your NSEC3PARAM (opt out clear, 12 iterations) details but could
> not replicate it. Try turning up the logging to get more information about
> why the nsec3param is removed. Make sure also that your keys are nsec3
> compatible and you don't have any old non nsec3 keys in the directory that
> could be used to sign.


I was trying to reproduce your scheme:

> FWIW I use a script to add all my test zones from a zone template
file. That
> script automatically adds the nsec3param as soon as the zone is
loaded, but
> before it signs. That way I keep things simple and never forget to update
> that zone before signing.

but without success. did you use keys with future Prepublish and
Activate or it's set to NOW?

I made few tests:

- -- first scenario (desirable):

1. get unsigned zone
2. generate nsec3 compatible keys (Prepublish and Activate in the future)
3. send 'rndc sign' to named
4. send NSEC3PARAM via dynamic update

result:

after waiting until key Activate event:

1. SOA and DNSKEY records are signed and have RRSIG records
2. NSEC3PARAM and DS records are still unsigned

which is not proper signed zone.

- -- second scenario:

1. get unsigned zone with NSEC3PARAM record
2. generate nsec3 compatible keys (Prepublish and Activate in the future)
3. send 'rndc sign' to named

result:

1. NSEC3PARAM is immediately removed from zone

after waiting until key Activate event:

1. SOA and DNSKEY records are signed and have RRSIG records but in zone
file. can't get RRSIG records with dns response. only if I send query
for RRSIG records

- -- third scenario:

1. get unsigned zone
2. generate nsec3 compatible keys (Prepublish and Activate = NOW)
3. send NSEC3PARAM via dynamic update
4. send 'rndc sign' to named

result:

everything is ok.

one conclusion: you need to have at least one key in Activate state. as
for me this is wrong assumption. first scenario should be ok but strange
things happened after Activate event or I made a mistake.

- -- 
regards

zbigniew jasinski
[SYStem OPerator]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNPtF7AAoJEH26UYiRhe/gReoP/j9fMxut/d7B5g4n86X2xiu/
GxvHbLiCMzxmJvIJG0tx2WuMYddiWBT+Jpv3sRimhdXY5zuALYK/n9Kig6r9GcCj
P12fH5CgDR/G5EP0ll254JeEGv34M4v7ZlUEU1ffZK14b+/RGNFZloSZ4wyBTcWv
aqcqUOnd0a7g2sRsDk3I9T3MSla9sYBKeh4/CLQlmIyDWIHG4L3X9Nr6HWwj9hZv
0Oeu60eY6C/pLGptsHhax/dxmE+ZanQ2Dtrq5eTxFtyUT6TBFMKrZbpBuNjfq0QK
M2GRwEiILujx5g5u/eWgfggd+aPWjafkn1hskxaSJfSZ6uni8f+sKiRnR3HFkVkN
vLrgLdyVoNL4PsChvLu8eyPsLbaJTx6UagovIw5EEvAaWIyKrw6Hf8YxwjvI95uF
wBphk118zw7SXxchyJaDIT2cyxUtWDt3spou6mq7Mi45CdAj47ekVoc8txcUW6mW
MhgIQi+U+7XcbzfhxRiQoGeuSkRnJ5o3TlJNsgzKjDwZdqHRMxuDI+Mh87ZjJXa2
gVZAX2INWy3pEAmVEPy84ci1iRrgns7buzv7no5AG8oBpZEHzr0DOhy+XCpCCjND
w6vulBKlraEPC5cTK3HoOC8lxXWixF86q4xmIZ8KXIAOPvARJkTa92Mia9/XVrER
gZfMc3kS3UWIBZoJAKeq
=IR/F
-----END PGP SIGNATURE-----

More information about the bind-users mailing list