problem for validate the script dnssec to isc dlv
fakessh @
fakessh at fakessh.eu
Thu Mar 24 23:13:46 UTC 2011
it is 6 months since I used no worries dlv
Le jeudi 24 mars 2011 à 23:21 +0100, fakessh @ a écrit :
> everything worked just fine until I change the key rdnc. ns in my side
> and only ns1.novacrea.fr ns1.xname.org are valid for dnssec
>
>
> Le jeudi 24 mars 2011 à 23:02 +0100, fakessh @ a écrit :
> > Le vendredi 25 mars 2011 à 08:24 +1100, Mark Andrews a écrit :
> > > In message <1300993213.12273.96.camel at localhost.localdomain>, "fakessh @" write
> > > s:
> > > > hi bind //guru/
> > > > hi isc guru
> > > > hi mark andrews
> > > > hi michel graff
> > >
> > > There are no DLV records for fakessh.eu. See below.
> > >
> > > There are no DS records for fakessh.eu. See below.
> > >
> >
> >
> >
> > necessarily because I can not validate the key through via isc dlv
> >
> >
> >
> >
> >
> >
> > > Two of the nameservers for your zone are not DNSSEC enabled. They
> > > do NOT return RRSIG records when asked for the DNSKEY records with
> > > DO=1. See below.
> > >
> > > You need to address these issues.
> > >
> > > Mark
> > >
> > > % dig fakessh.eu.dlv.isc.org dlv
> > >
> > > ; <<>> DiG 9.6.0-APPLE-P2 <<>> fakessh.eu.dlv.isc.org dlv
> > > ;; global options: +cmd
> > > ;; Got answer:
> > > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21760
> > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> > >
> > > ;; QUESTION SECTION:
> > > ;fakessh.eu.dlv.isc.org. IN DLV
> > >
> > > ;; AUTHORITY SECTION:
> > > dlv.isc.org. 2793 IN SOA ns-int.isc.org. hostmaster.isc.org. 2011032404 7200 3600 2419200 3600
> > >
> > > ;; Query time: 3 msec
> > > ;; SERVER: 127.0.0.1#53(127.0.0.1)
> > > ;; WHEN: Fri Mar 25 08:10:56 2011
> > > ;; MSG SIZE rcvd: 94
> > >
> > > % dig ds fakessh.eu
> > >
> > > ; <<>> DiG 9.6.0-APPLE-P2 <<>> ds fakessh.eu
> > > ;; global options: +cmd
> > > ;; Got answer:
> > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20600
> > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> > >
> > > ;; QUESTION SECTION:
> > > ;fakessh.eu. IN DS
> > >
> > > ;; AUTHORITY SECTION:
> > > eu. 600 IN SOA a.nic.eu. tech.eurid.eu. 1003425849 3600 1800 3600000 600
> > >
> > > ;; Query time: 930 msec
> > > ;; SERVER: 127.0.0.1#53(127.0.0.1)
> > > ;; WHEN: Fri Mar 25 08:13:44 2011
> > > ;; MSG SIZE rcvd: 81
> > >
> > > % dig +dnssec dnskey fakessh.eu @ns0.xname.org
> > >
> > > ; <<>> DiG 9.6.0-APPLE-P2 <<>> +dnssec dnskey fakessh.eu @ns0.xname.org
> > > ;; global options: +cmd
> > > ;; Got answer:
> > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11804
> > > ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 6
> > > ;; WARNING: recursion requested but not available
> > >
> > > ;; OPT PSEUDOSECTION:
> > > ; EDNS: version: 0, flags: do; udp: 4096
> > > ;; QUESTION SECTION:
> > > ;fakessh.eu. IN DNSKEY
> > >
> > > ;; ANSWER SECTION:
> > > fakessh.eu. 38400 IN DNSKEY 256 3 5 AwEAAeFYV9JtqoHqpU8vpl+wMFOQjt77N5XgUcove5Apmjwqsx/awcbN Q2+H3hqeJ9f8NRSDUamSLFmvuUJTbDLDxpw9AlNjZNXQysxaQ//lNXKR P2nfrbqMvNnerzdPQ1eF2RqMf5XuOFv6+4UFz/rykszQcK6kH4qIWQ89 Ibk4eXc249MP31vUlgf3tiHyWyqQtD2JJpHY3HwDOYHhKR0Rilk=
> > > fakessh.eu. 38400 IN DNSKEY 257 3 5 AwEAAbj75OmR1A8gs1lda3OYTKaY+dy4jVBmflEk/c8g/JDw6UvAqWMz 9KtNIZvGt9E8JMSfaH6VZLY0mWFfCkn7o38=
> > >
> > > ;; AUTHORITY SECTION:
> > > fakessh.eu. 38400 IN NS r13151.ovh.net.
> > > fakessh.eu. 38400 IN NS ns0.xname.org.
> > > fakessh.eu. 38400 IN NS ns1.xname.org.
> > > fakessh.eu. 38400 IN NS ns1.novacrea.fr.
> > > fakessh.eu. 38400 IN NS ns2.xname.org.
> > >
> > > ;; ADDITIONAL SECTION:
> > > ns0.xname.org. 600 IN A 195.234.42.1
> > > ns1.xname.org. 600 IN A 87.98.164.164
> > > ns1.novacrea.fr. 55352 IN A 94.23.59.30
> > > ns2.xname.org. 600 IN A 88.191.64.64
> > > ns2.xname.org. 600 IN AAAA 2a01:e0b:1:64:240:63ff:fee8:6155
> > >
> > > ;; Query time: 391 msec
> > > ;; SERVER: 195.234.42.1#53(195.234.42.1)
> > > ;; WHEN: Fri Mar 25 08:19:34 2011
> > > ;; MSG SIZE rcvd: 515
> > >
> > > %
> > >
> > > > despite my efforts to validate isc dlv. I'm always at the same point I
> > > > can not validate the keys. error below the script isc
> > > >
> > > > SUCCESS 94.23.59.30 answered DNSKEY query with rcode NOERROR
> > > > 3.345:SUCCESS 87.98.186.232 answered DNSKEY query with rcode NOERROR
> > > > 3.345:SUCCESS 87.98.164.164 answered DNSKEY query with rcode NOERROR
> > > > 3.345:INFO Total answers: 3
> > > > 3.346:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.186.232
> > > > 3.347:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.164.164
> > > > 3.347:SUCCESS All DNSKEY responses are identical.
> > > > 3.353:DEBUG VERIFY-DNSKEY: Checking tag=3D41931 flags=3D256 alg=3DRSASHA1
> > > > AwEAAbjq...Na0iXShQfc=3D
> > > > 3.353:DEBUG VERIFY-DNSKEY: Ignoring key.
> > > > 3.353:DEBUG VERIFY-DNSKEY: Checking tag=3D27979 flags=3D257 alg=3DRSASHA1
> > > > AwEAAcNa...y1khCE+CdE=3D
> > > > 3.353:DEBUG VERIFY-DNSKEY: Ignoring key.
> > > > 3.353:INFO VERIFY-DNSKEY: 2 DNSKEYs found.
> > > > 3.353:INFO VERIFY-DNSKEY: 0 keys found after filtering.
> > > > 3.353:DEBUG VERIFY-DNSKEY: Using keys:
> > > > 3.353:DEBUG VERIFY-DNSKEY: To verify rrset type DNSKEY
> > > > 3.353:FAILURE VERIFY-DNSKEY: No keys found after filtering.
> > > > 3.353:FAILURE DNSKEY signature did not validate.
> > > > 3.353:FINAL_FAILURE FAILURE
> > > >
> > > >
> > > > --=20
> > > > gpg --keyserver pgp.mit.edu --recv-key 092164A7
> > > > http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0x092164A7
> > > >
> > > > --=-z4QlW2bZGkH+0Mp+jCTf
> > > > Content-Type: application/pgp-signature; name=signature.asc
> > > > Content-Description: Ceci est une partie de message
> > > > =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=
> > > >
> > > > -----BEGIN PGP SIGNATURE-----
> > > > Version: GnuPG v1.4.5 (GNU/Linux)
> > > >
> > > > iD8DBQBNi5S9tXI/OwkhZKcRApwbAJ0U1bwNJxcqaQio8bGVIuAQkomMqgCfVbUn
> > > > uZ2ojYfEyGYxmZu/F2xOJn8=
> > > > =/8X8
> > > > -----END PGP SIGNATURE-----
> > > >
> > > > --=-z4QlW2bZGkH+0Mp+jCTf--
> > > >
> > > >
> > > > --===============2440758171990924561==
> > > > Content-Type: text/plain; charset="us-ascii"
> > > > MIME-Version: 1.0
> > > > Content-Transfer-Encoding: 7bit
> > > > Content-Disposition: inline
> > > >
> > > > _______________________________________________
> > > > bind-users mailing list
> > > > bind-users at lists.isc.org
> > > > https://lists.isc.org/mailman/listinfo/bind-users
> > > > --===============2440758171990924561==--
> > > >
> > _______________________________________________
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
gpg --keyserver pgp.mit.edu --recv-key 092164A7
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message num?riquement sign?e
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110325/20dacfb2/attachment.bin>
More information about the bind-users
mailing list