inconsistency dnssec debuguers response and writing conseil for new areas zone
Mark Andrews
marka at isc.org
Tue Mar 1 21:49:46 UTC 2011
In message <1299012754.22227.430.camel at localhost.localdomain>, "fakessh @" writ
es:
> as I now know what key DS uses.
>
> I logged into my account and I moved isc dlv record SHA1 DS,
> and I thought to receive a new record or something like that.
>
> well no reply from the ISC is :
> A corresponding DNSKEY already exists for this record.
Because there are already DLV records for the key in the DLV.
;; ANSWER SECTION:
fakessh.eu.dlv.isc.org. 3529 IN DLV 47103 3 2 68096942650C1DD89D5BE43A9EEA05BA9C20F09EDC55309F4F1CD348 4D8ED07B
fakessh.eu.dlv.isc.org. 3529 IN DLV 47103 3 1 CFEA04C5B918359273D6BAC07AE7F2DF5225E357
And the zone itself validates (ad=1).
; <<>> DiG 9.6.0-APPLE-P2 <<>> fakessh.eu soa +adflag
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4080
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;fakessh.eu. IN SOA
;; ANSWER SECTION:
fakessh.eu. 38400 IN SOA r13151.ovh.net. postmaster.fakessh.eu. 2011022802 10800 3600 604800 38400
;; Query time: 2521 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Mar 2 08:45:13 2011
;; MSG SIZE rcvd: 89
> All comments are welcome to help me find a solution
>
> nb : I publish on my blog a little article on dnssec
> http://fakessh.eu/2011/02/16/faire-marcher-dnssec-sur-son-serveur/
> Le mardi 01 mars 2011 =C3=A0 21:00 +0100, Torinthiel a =C3=A9crit :
> > On 03/01/11 20:17, fakessh @ wrote:
> >
> > > is the repeat isc dlv seems to accept the flag DS
> > > in my case i have to a file dsset-fakessh.eu
> > > but the file contains two keys DS and i don't know which to use
> >
> > The DS you have are both for the same key, only one is SHA1 and other
> > SHA256. You could try any of them, but see below.
> >
> > ISC DLV accepts keys, you have to create an account, add your zone and
> > keys for it. I remember having some trouble trying to add DS records,
> > but DNSKEY worked fine. Of course the zone has to be signed using that
> > key, and ISC asks you to add a TXT record at dlv.your.zone (or something
> > similar) to prove your ability to modify the zone.
> > The procedure is simple and well defined.
> >
> > And about OVH - I don't know if it's related, but I've asked Polish OVH
> > how about providing DNSSEC, as .pl is planned to be signed mid-year, and
> > they've answered me they will probably be ready. This might, or might
> > not be related to providing DNSSEC by other OVH branches and for other
> > registries.
> >
> > Torinthiel
> > _______________________________________________
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> --
> gpg --keyserver pgp.mit.edu --recv-key 092164A7
> http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0x092164A7
>
> --=-hAV62QMSnDEL5t7IF2op
> Content-Type: application/pgp-signature; name=signature.asc
> Content-Description: Ceci est une partie de message
> =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
>
> iD8DBQBNbVyStXI/OwkhZKcRApHLAJ9mpVDpLbdoXNJE2HWrZtEMP5nkOQCfQHxF
> OWD+2cnsCQvmY1sJsLmpZoA=
> =3tB9
> -----END PGP SIGNATURE-----
>
> --=-hAV62QMSnDEL5t7IF2op--
>
>
> --===============8423262514623441036==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --===============8423262514623441036==--
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list