problem validate key of isc dlv

Mark Andrews marka at isc.org
Sun Mar 20 23:58:32 UTC 2011 

In message <1300660825.6651.21.camel at localhost.localdomain>, "fakessh @" writes
:
> 
> Le dimanche 20 mars 2011 =C3=A0 22:47 +0100, Torinthiel a =C3=A9crit :
> > On 03/20/11 22:33, fakessh @ wrote:
> > > and what do I do.=20
> >=20
> > You have to add your key to ISC's DLV registry. Go to dlv.isc.org,
> > create account, login, add a zone, add keys for it and publish a record
> > in your zone validating that you're the owner of the zone. You will be
> > told what to do after you create zone.
> >=20
> 
> that's what I did
> I made =E2=80=8B=E2=80=8Ba post on my blog explaining how I do
> goo.gl/EAbCB

Have you changed your DNSKEY's since you did that?  If you have did
you update the zone in your account on dlv.isc.org?  What does
dlv.isc.org have to say about fakessh.eu?

> > > and what is this other publication of another DS

In the end you should have a DS RRset published in the .EU zone for
fakessh.EU.  .EU claim to implement DNSSEC and that should mean
that you can get DS records addeded for your zone.

> > I have no idea what do you mean by this sentence.
> > Torinthiel
> >=20
> > >=20
> > >=20
> > > Le lundi 21 mars 2011 =C3=A0 08:25 +1100, Mark Andrews a =C3=A9crit :
> > >> In message <1300650238.6651.15.camel at localhost.localdomain>, "fakessh =
> @" writes
> > >> :
> > >>> hello bind network and duru.=20
> > >>>
> > >>> I can not validate the key dlv via the website of the isc.=20
> > >>> I do not understand why the warning is the isc=20
> > >>> you have an explanation
> > >>> SUCCESS 94.23.59.30 answered DNSKEY query with rcode NOERROR
> > >>> 4.502:SUCCESS 87.98.164.164 answered DNSKEY query with rcode NOERROR
> > >>> 4.502:SUCCESS 87.98.186.232 answered DNSKEY query with rcode NOERROR
> > >>> 4.502:INFO Total answers: 3
> > >>> 4.503:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.164.=
> 164
> > >>> 4.504:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.186.=
> 232
> > >>> 4.504:SUCCESS All DNSKEY responses are identical.
> > >>> 4.515:DEBUG VERIFY-DNSKEY: Checking tag=3D10231 flags=3D257 alg=3DRSA=
> SHA1
> > >>> AwEAAbwO...8fkjXphfS8=3D
> > >>> 4.515:DEBUG VERIFY-DNSKEY: Ignoring key.
> > >>> 4.515:DEBUG VERIFY-DNSKEY: Checking tag=3D30111 flags=3D256 alg=3DRSA=
> SHA1
> > >>> AwEAAb1q...jG+UQeAtYE=3D
> > >>> 4.515:DEBUG VERIFY-DNSKEY: Ignoring key.
> > >>> 4.515:INFO VERIFY-DNSKEY: 2 DNSKEYs found.
> > >>> 4.515:INFO VERIFY-DNSKEY: 0 keys found after filtering.
> > >>> 4.515:DEBUG VERIFY-DNSKEY: Using keys:
> > >>> 4.516:DEBUG VERIFY-DNSKEY: To verify rrset type DNSKEY
> > >>> 4.516:FAILURE VERIFY-DNSKEY: No keys found after filtering.
> > >>> 4.516:FAILURE DNSKEY signature did not validate.
> > >>> 4.516:FINAL_FAILURE FAILURE
> > >>
> > >> Based on the key tags and the truncated keys I think these keys are
> > >> for fakessh.eu and if so there isn't a DLV record or a DS published
> > >> for fakessh.eu.  The only other thing the validator can check against
> > >> is any installed trust-anchor.
> > >>
> > >> Mark
> > >>
> > >> ; <<>> DiG 9.6.0-APPLE-P2 <<>> fakessh.eu.dlv.isc.org dlv
> > >> ;; global options: +cmd
> > >> ;; Got answer:
> > >> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 48161
> > >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> > >>
> > >> ; <<>> DiG 9.6.0-APPLE-P2 <<>> fakessh.eu ds
> > >> ;; global options: +cmd
> > >> ;; Got answer:
> > >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63623
> > >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> > >>
> > >>
> > >>
> > >>> --=20
> > >>> gpg --keyserver pgp.mit.edu --recv-key 092164A7
> > >>> http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0x092164A7
> > >>>
> > >>>
> > >>>
> > >>> _______________________________________________
> > >>> bind-users mailing list
> > >>> bind-users at lists.isc.org
> > >>> https://lists.isc.org/mailman/listinfo/bind-users
> >=20
> >=20
> > _______________________________________________
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> --=20
> gpg --keyserver pgp.mit.edu --recv-key 092164A7
> http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0x092164A7
> 
> --=-PTfCUNzbM6WN0AFHL2g3
> Content-Type: application/pgp-signature; name=signature.asc
> Content-Description: Ceci est une partie de message
> 	=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
> 
> iD8DBQBNhoJZtXI/OwkhZKcRAujMAKCIR7D4r7o+rVlue7jdtUvzrIqAbwCcD9gt
> hw37QYLE5IuLPQXgUQI3qWc=
> =hDB7
> -----END PGP SIGNATURE-----
> 
> --=-PTfCUNzbM6WN0AFHL2g3--
> 
> 
> --===============8269614476746204563==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --===============8269614476746204563==--
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list