testing validation

Carlos Ribas carlos at ansp.br
Wed Apr 18 17:46:20 UTC 2012 

Hello,

    Is your recursive resolver also authoritative for raindrop.us? If so,
you will not get the "ad" flag. You can test with DNS-OARC resolver [1]:

# dig +dnssec +multiline @149.20.64.20 raindrop.us

; <<>> DiG 9.7.3 <<>> +dnssec +multiline @149.20.64.20 raindrop.us
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28120
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;raindrop.us.           IN A

;; ANSWER SECTION:
raindrop.us.            3600 IN A 199.26.172.34
raindrop.us.            3600 IN RRSIG A 5 2 3600 20120512011136 (
                                20120412010327 41190 raindrop.us.
                                kH5rKfIHghbsiKLTMkO6GjDtXI0Afkgl2x74K0o0AKtD
                                lTDfsk+2pPZ/XwKj1k2jIYButqXximUjHOHQHK1bSru7
                                V8DkkN7JF/wozTOiGCs777sOs90jKmaHIIMSTbNcQgtD
                                ySqzPsd4Sn9Qp86Iykj0nvXyUeMib2bzPJ5SVBY= )

;; Query time: 787 msec
;; SERVER: 149.20.64.20#53(149.20.64.20)
;; WHEN: Wed Apr 18 14:39:45 2012
;; MSG SIZE  rcvd: 227

    It's working fine.

[1] - https://www.dns-oarc.net/oarc/services/odvr


Best regards,

---------------------------------
Carlos Eduardo Ribas



2012/4/18 Alan Batie <alan at peak.org>

> I'm testing out dnssec with bind 9.9.0's auto signing and a test domain;
> this appears to be working (see below, RRSIG records returned from the
> actual nameserver), however and attempt to validate fails with:
>
> # dig +dnssec +sigchase soa raindrop.us
> ;; RRset to chase:
> raindrop.us.            987     IN      SOA     ns1.raindrop.us.
> hostmaster.rdrop.com.
> 2012030815 3600 3600 86400 3600
>
>
>
> Launch a query to find a RRset of type RRSIG for zone: raindrop.us.
>
> ;; RRSIG is missing for continue validation: FAILED
>
>
> I have this included in the resolver's named.conf:
>
> managed-keys {
>   "." initial-key 257 3 8
> "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
> FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
> bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
> X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
> W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
> Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= ";
> };
>
> per https://calomel.org/dns_bind.html
>
> When I simply try to validate the root:
>
> # dig +dnssec +sigchase .
> ;; NO ANSWERS: no more
> We want to prove the non-existence of a type of rdata 1 or of the zone:
> there is no NSEC for this zone: validating that the zone doesn't exist
>
> ;; Impossible to verify the Non-existence, the NSEC RRset can't be
> validated: FAILED
>
> I'm not sure what to look for now...
>
>
>
> # dig +dnssec @ns6.peak.org raindrop.us
>
> ; <<>> DiG 9.9.0 <<>> +dnssec @ns6.peak.org raindrop.us
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15953
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;raindrop.us.                   IN      A
>
> ;; ANSWER SECTION:
> raindrop.us.            3600    IN      A       199.26.172.34
> raindrop.us.            3600    IN      RRSIG   A 5 2 3600 20120512011136
> 20120412010327
> 41190 raindrop.us.
> kH5rKfIHghbsiKLTMkO6GjDtXI0Afkgl2x74K0o0AKtDlTDfsk+2pPZ/
> XwKj1k2jIYButqXximUjHOHQHK1bSru7V8DkkN7JF/wozTOiGCs777sO
> s90jKmaHIIMSTbNcQgtDySqzPsd4Sn9Qp86Iykj0nvXyUeMib2bzPJ5S VBY=
>
> ;; AUTHORITY SECTION:
> raindrop.us.            3600    IN      NS      ns1.raindrop.us.
> raindrop.us.            3600    IN      RRSIG   NS 5 2 3600
> 20120512011136 20120412010327
> 41190 raindrop.us.
> UQxIRpKV+b4opfCJx/j4oIFht8nqxpn1g0siOLI2XkxfVrnXHh17/ChT
> X6PH5YOrF7D3v7AUMbVo+o8glSUfk1uML8i3C8H5lD/NmujPPrIqFaO/
> 6zCJen1q34FVunCoqfrYvYlaKHenFGsrpOl61H75ns0IjLMXSs+TRpIY GTs=
>
> ;; ADDITIONAL SECTION:
> ns1.raindrop.us.        3600    IN      AAAA    2607:f678::56
> ns1.raindrop.us.        3600    IN      RRSIG   AAAA 5 3 3600
> 20120512011136
> 20120412010327 41190 raindrop.us.
> MhaOIt7D7kT8k4USk9Mpocw+tSx8WBSO/Yi+4F/YFV1ZVSXLKgYj4K4S
> hTjVTBD3tCQYMJY+SkArlkoQRyTk4QYrLV8CP2TvvdrUPjZUZNAEMsuk
> 0NWsd2tLgStZ34yN0Pe1xa9P2SZjvsXJj1D1N5JNFxfS/OFCwMa9Hvcr atM=
>
> ;; Query time: 253 msec
> ;; SERVER: 2607:f678:10::53#53(2607:f678:10::53)
> ;; WHEN: Tue Apr 17 23:29:08 2012
> ;; MSG SIZE  rcvd: 615
>
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120418/11a04702/attachment.html>

More information about the bind-users mailing list