problem for validate the script dnssec to isc dlv
Mark Andrews
marka at isc.org
Thu Mar 24 21:24:30 UTC 2011
In message <1300993213.12273.96.camel at localhost.localdomain>, "fakessh @" write
s:
> hi bind //guru/
> hi isc guru
> hi mark andrews
> hi michel graff
There are no DLV records for fakessh.eu. See below.
There are no DS records for fakessh.eu. See below.
Two of the nameservers for your zone are not DNSSEC enabled. They
do NOT return RRSIG records when asked for the DNSKEY records with
DO=1. See below.
You need to address these issues.
Mark
% dig fakessh.eu.dlv.isc.org dlv
; <<>> DiG 9.6.0-APPLE-P2 <<>> fakessh.eu.dlv.isc.org dlv
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21760
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;fakessh.eu.dlv.isc.org. IN DLV
;; AUTHORITY SECTION:
dlv.isc.org. 2793 IN SOA ns-int.isc.org. hostmaster.isc.org. 2011032404 7200 3600 2419200 3600
;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Mar 25 08:10:56 2011
;; MSG SIZE rcvd: 94
% dig ds fakessh.eu
; <<>> DiG 9.6.0-APPLE-P2 <<>> ds fakessh.eu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20600
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;fakessh.eu. IN DS
;; AUTHORITY SECTION:
eu. 600 IN SOA a.nic.eu. tech.eurid.eu. 1003425849 3600 1800 3600000 600
;; Query time: 930 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Mar 25 08:13:44 2011
;; MSG SIZE rcvd: 81
% dig +dnssec dnskey fakessh.eu @ns0.xname.org
; <<>> DiG 9.6.0-APPLE-P2 <<>> +dnssec dnskey fakessh.eu @ns0.xname.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11804
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 6
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;fakessh.eu. IN DNSKEY
;; ANSWER SECTION:
fakessh.eu. 38400 IN DNSKEY 256 3 5 AwEAAeFYV9JtqoHqpU8vpl+wMFOQjt77N5XgUcove5Apmjwqsx/awcbN Q2+H3hqeJ9f8NRSDUamSLFmvuUJTbDLDxpw9AlNjZNXQysxaQ//lNXKR P2nfrbqMvNnerzdPQ1eF2RqMf5XuOFv6+4UFz/rykszQcK6kH4qIWQ89 Ibk4eXc249MP31vUlgf3tiHyWyqQtD2JJpHY3HwDOYHhKR0Rilk=
fakessh.eu. 38400 IN DNSKEY 257 3 5 AwEAAbj75OmR1A8gs1lda3OYTKaY+dy4jVBmflEk/c8g/JDw6UvAqWMz 9KtNIZvGt9E8JMSfaH6VZLY0mWFfCkn7o38=
;; AUTHORITY SECTION:
fakessh.eu. 38400 IN NS r13151.ovh.net.
fakessh.eu. 38400 IN NS ns0.xname.org.
fakessh.eu. 38400 IN NS ns1.xname.org.
fakessh.eu. 38400 IN NS ns1.novacrea.fr.
fakessh.eu. 38400 IN NS ns2.xname.org.
;; ADDITIONAL SECTION:
ns0.xname.org. 600 IN A 195.234.42.1
ns1.xname.org. 600 IN A 87.98.164.164
ns1.novacrea.fr. 55352 IN A 94.23.59.30
ns2.xname.org. 600 IN A 88.191.64.64
ns2.xname.org. 600 IN AAAA 2a01:e0b:1:64:240:63ff:fee8:6155
;; Query time: 391 msec
;; SERVER: 195.234.42.1#53(195.234.42.1)
;; WHEN: Fri Mar 25 08:19:34 2011
;; MSG SIZE rcvd: 515
%
> despite my efforts to validate isc dlv. I'm always at the same point I
> can not validate the keys. error below the script isc
>
> SUCCESS 94.23.59.30 answered DNSKEY query with rcode NOERROR
> 3.345:SUCCESS 87.98.186.232 answered DNSKEY query with rcode NOERROR
> 3.345:SUCCESS 87.98.164.164 answered DNSKEY query with rcode NOERROR
> 3.345:INFO Total answers: 3
> 3.346:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.186.232
> 3.347:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.164.164
> 3.347:SUCCESS All DNSKEY responses are identical.
> 3.353:DEBUG VERIFY-DNSKEY: Checking tag=3D41931 flags=3D256 alg=3DRSASHA1
> AwEAAbjq...Na0iXShQfc=3D
> 3.353:DEBUG VERIFY-DNSKEY: Ignoring key.
> 3.353:DEBUG VERIFY-DNSKEY: Checking tag=3D27979 flags=3D257 alg=3DRSASHA1
> AwEAAcNa...y1khCE+CdE=3D
> 3.353:DEBUG VERIFY-DNSKEY: Ignoring key.
> 3.353:INFO VERIFY-DNSKEY: 2 DNSKEYs found.
> 3.353:INFO VERIFY-DNSKEY: 0 keys found after filtering.
> 3.353:DEBUG VERIFY-DNSKEY: Using keys:
> 3.353:DEBUG VERIFY-DNSKEY: To verify rrset type DNSKEY
> 3.353:FAILURE VERIFY-DNSKEY: No keys found after filtering.
> 3.353:FAILURE DNSKEY signature did not validate.
> 3.353:FINAL_FAILURE FAILURE
>
>
> --=20
> gpg --keyserver pgp.mit.edu --recv-key 092164A7
> http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0x092164A7
>
> --=-z4QlW2bZGkH+0Mp+jCTf
> Content-Type: application/pgp-signature; name=signature.asc
> Content-Description: Ceci est une partie de message
> =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
>
> iD8DBQBNi5S9tXI/OwkhZKcRApwbAJ0U1bwNJxcqaQio8bGVIuAQkomMqgCfVbUn
> uZ2ojYfEyGYxmZu/F2xOJn8=
> =/8X8
> -----END PGP SIGNATURE-----
>
> --=-z4QlW2bZGkH+0Mp+jCTf--
>
>
> --===============2440758171990924561==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --===============2440758171990924561==--
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list