trying DNSSEC with 9.9-rc1
Michael W. Lucas
mwlucas at blackhelicopters.org
Thu Feb 2 01:54:48 UTC 2012
On Wed, Feb 01, 2012 at 11:51:55PM +0000, Spain, Dr. Jeffry A. wrote:
> > Any suggestions, folks? What am I not understanding?
>
> Michael: To determine why there is no DNSSEC information being returned by your dig query, consider the following:
>
> What are the timestamps in your key metadata? Are they currently published and active?
> nstest/etc/namedb/keys;dnssec-settime -p all Ktransnetworks.net.+005+54607.private
>
> What are the file modes and ownership of your keys? Can named running under whatever UID it is using read the keys?
>
> What are the full contents of your unsigned and signed zone files? Any clues there?
> nstest/etc/namedb/keys;named-checkzone -j -o - transnetworks.net transnetworks.net
> nstest/etc/namedb/keys;named-checkzone -j -f raw -o - transnetworks.net transnetworks.net.signed
>
> Are there syslog messages that indicate any problems signing your zone?
> nstest/etc/namedb/keys;cat /var/log/syslog | grep named
>
> Ultimately with dnssec-dsfromkey, you may wish to leave out "-2" and generate both SHA-1 and SHA-256 digests. Depending on your registrar, they may accept one, the other, or both. The DS record submission is usually done on your registrar's web site.
>
> With dnssec-keygen, I used "-b 2048". I don't think there is a compelling argument for using a shorter key.
>
> Note that dig +dnssec queries targeted at your authoritative server will ultimately return DNSSEC records but will never return an AD flag. Eventually you will want to see the AD flag to know that all is well with the chain of trust though "net." up to the DNS root zone, and for this you will need a DNSSEC-enabled recursive resolver. You can use DNS-OARC's open validating resolver to test: https://www.dns-oarc.net/oarc/services/odvr. You can fairly easily set up another bind server as a recursive resolver for your own use as well. Two other good tests for your DNSSEC-enabled zones are at http://dnsviz.net/ and http://dnssec-debugger.verisignlabs.com/.
>
> Jeffry A. Spain
> Network Administrator
> Cincinnati Country Day School
>
Thanks for your advice!
This gave me everything I needed. After intermittent experiments for
the last several years, I now have DNSSEC on my test domain.
Will write this up for the next newbie.
Thanks again,
==ml
--
Michael W. Lucas
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Latest book: SSH Mastery http://www.michaelwlucas.com/nonfiction/ssh-mastery
mwlucas at BlackHelicopters.org, Twitter @mwlauthor
More information about the bind-users
mailing list