problem for validate the script dnssec to isc dlv

Eivind Olsen eivind at aminor.no
Thu Mar 24 23:30:10 UTC 2011 

Fakessh wrote:

> the DS it is necessary that I contact OVH.
> in the DLV conserne my problem I have this same recurring errors in the
> script of the isc
> that's my problem

I'll admit, I've had some problems guessing what the problem you're
experiencing really is, there's been mentions of TSIG keys, DNSSEC,
scripts etc. Please bear with me, English isn't my normal language, so
perhaps I've misunderstood something.

If I understand things correctly though, you're unable to get the DLV or
DS records added, and the reason for that seems to be because your DNS
setup doesn't pass a sanity check.

Follow these steps, in this order, and correct these:

1) Two of your nameservers don't seem to do DNSSEC properly. I don't know
which software they are running. If you want to use those nameservers for
a DNSSEC signed domain, you'll need to get whoever manages those
nameservers to make them DNSSEC capable. Depending on the software they're
running, that might just be a configuration issue, or perhaps they'll need
to upgrade to a more recent version of the software to get DNSSEC
capabilities.
The two nameservers that seem to need fixing are ns0.xname.org and
ns2.xname.org.

2) When I check the delegation of the domain fakessh.eu, it's delegated to
4 nameservers. But when I check the NS records in your zone, it lists an
additional 5th nameserver, ns2.xname.org. You should make sure the NS
records in your zone match the delegation - perhaps just remove
ns2.xname.org from your zonefile?

3) I'm not sure why, but if I do "dig any fakessh.eu @ns2.xname.org" I get
a SERVFAIL back:
eivind at vimes ~]$ dig any fakessh.eu @ns2.xname.org.

; <<>> DiG 9.6.-ESV-R3 <<>> any fakessh.eu @ns2.xname.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 7693
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;fakessh.eu.                    IN      ANY

;; Query time: 91 msec
;; SERVER:
2a01:e0b:1:64:240:63ff:fee8:6155#53(2a01:e0b:1:64:240:63ff:fee8:6155)
;; WHEN: Fri Mar 25 00:26:26 2011
;; MSG SIZE  rcvd: 28

Doing plain queries for A, AAAA or SOA for example seem to work just fine
though..Am I doing something odd in this query, or is that nameserver
really weird?

4) If you've sorted all the stuff above: now is the time to try to add the
DS or DLV records. I'd not suggest you try this before the previous issues
have been corrected.

Regards
Eivind Olsen
eivind at aminor.no

More information about the bind-users mailing list