Zones not being recognised as Signed

J T jt4websites at gmail.com
Thu Mar 30 23:17:33 UTC 2017 

Please ignore the * in the copy pasted records. It seems the list converts
color text to be *TEXT* hehe

On 31 March 2017 at 00:11, J T <jt4websites at gmail.com> wrote:

> Hi Mark,
>
> Thank you for responding. What do you mean by zone apex?
>
> If we assume one of the domains that fails to be seen as signed is "
> example.co.uk" then would the apex be the domain name with no prefixes ?
>
> I've changed the domain name but this is part of what I have in my signed
> zone file for one of the zones that fails to be recognised as signed (
> after the signing process).
>
> example.co.uk. IN RRSIG *NSEC*3PARAM 7 3 0 20170429213251 20170330213251
> 39233 example.co.uk.  T1VK1lrlk+4++3Nr7WlS3CeJISCPofUuo799
> S8wKrLG5UngbzRty1DQ2q6uPkiIVoqtuZJdd IklQIZxrCXt1NGSq8yQ4sNodVHMH90dvYQtY
> UkViTVIqX15bcY/rLIwOXjrkfz6BB9oavzPZ cuycGR0zd76sgslFJNAZt8hv7XhXxnP94Ke7
> VkxCsdpIT98WMrk6eBEtL76VTm855O2X/lw2 yQdLerE578rZSmOc4K6NKxqeAwVN9ktB9DnK
> ugTJmZVIeF/IPcJzeOpNUHA8QkS/dbNqZ5Po 6CIpTzHospp6xHyBJ8V8GK5PSNLtiPaIHIkE
> 0C1LgiBLv7e4Hiejq2ZOrIiJAtMILiT95YcT n5LJaQkSsbNlS96nSmyE49iUMM4lWwOji3HG
> +oLdGdRSwO+1ySyN4XyY2yIfAF+8oKsjHLyJ zeMhRqHI3kE0+zbtsw7sjQveNzpCxW7reIa+
> XlDjX1SkYXucG/f7BPxYSBCf4Qf0wZgGFC9h oSPZFNsIpDYJnG3kiwPdXr5dDwKJyhX2iBQT
> jb9omapnn6YBSN0xNnFwBZ5UqBNAkuOH4jQA CXSQW390CoKPt/gCQfdMkEEFd7dgsLeBQI36
> ABsH1DQtxFqCjCdGK5gFmeKNGvzJPnNlT+++ Xy8VoMXX7xlM4qkSDwRjee8hT3s9ObLxWKI=
>
> and
>
> example.co.uk.   IN      DNSKEY  257 3 7 AwEAAbZFkjq1Q+
> 7Z67VNF3DkvwZTFFK+sgM+2H+xFqkpyeHQoLmsSAWj BoulxcEIVenvY/
> X8fFvHk4yemA0z9DWpVEL9//zGtIVInJqRzzVlx7QQ RWDuYqya+
> U6YpzYkYX0DspOyzFFswtMclF0ktmFB7XOSEmy70OfJL4Oy p4GI5wT8M26bQmDQ6w+
> UcHUO7M8ciF6qJ5JP68O34BlmUq7gGm1DlqVK o1puldx22djX8GqvqhJjPaV5OHOXn4C5axR0IXiz9C39t1mjAkfxlHJW
> kshl+ENmdyyI6hw1vOqLHRmGlDQnL2wdvwerYGfLUAAEYx7+n9v+Ubec
> J83SBt90g5OGyT0JH2BTe5IaQeU8+OwQ97P0dRc3yIbGI9e0RSQuE1Zy
> 0YUHsIiHpTXrr16vBV97FPLzKGxV0i7AM15JoSCauUyr0DNA391pxVDd
> HOeyqpxxV69jNWKcdPV7KJFBSEGI3Uthp8uzNRepdJolg0qxNZy8n5tx
> 4sWIGAF2pqLFPZDLPa6yrFazq85JwhYmeqtiR1YXdsxHnR+My714mApl
> TiUD4EPP2ylbXeKvsOEWU0NwoAXf92uaSj9C8hH/JIboPDSk1/Y6uv5l
> YufyA6f3UFbZPAeqlp2OifE9t0nCqfi43Od70qyvPULqo7S7gtpq6nWA fqSDCTGxBwOVthD9
>
> example.co.uk.   IN      DNSKEY  256 3 7 AwEAAcqXsmOpeTwLI6ikMgz8JZWddUaKjcX+BpCtbkB9pmngl2JugzoQ
> iW+NGcYgLjKkpPHxsHDPBBbfrFTy0l+htYyi6tudAjlNOju+tvMDB4VC 86aC100XcSF/
> h1eSqPxPZz4CjdeBI8x/ahbh7bKHILnokb2mK9CLpZ2w
> j4UbCkXu8Of3WWamU3uAEnQ6Lm1xZ8HHxf86S5ev0e+bSm+JTkJVdk12
> 8iIBu6t9lWpYeSemtxHfLhK0Pm1evnHFpr17Sk9/yt5gUZkTd0d9nazT
> GsUNjbgdyr943K05wAs5EEgqEIp5eI9zcJ1QeeXBG+co5grBa6Leq3Pm
> zcqxwtzuB2VDRKr9P34tT5n5OY2jg+B98ERd3TiLJTF+wd5Pa5n+lVXt nkAODvfYv+
> xlEgUqfnIxEfNc7aQKXwWaLBW1Hx25aobsXJ+vrdhE+sqd Jbzjr8p+EG8ZS8gJ9c4B+
> snMOYwns7hVAATX/3K3XwJUcdGQoynm20iV acDErzZRzHqW+XNtU5EnBjpdzK+Lz0wH63yXRIOd09ap6XACkRH1ApNo
> syOFdEVwEgTJEPvavu6FH6YR6iHmVR+YqblSBOCP5jfdIVmHm+MfihJs 3whGNAo9XPFEYg+
> M6vJ8e04zMD17mWL4w/lilhLy1CbuzU2Bw1yniFRI P9mvO7K0z/mrPxWn
>
> I compared it with the one of the zones that is recognised as signed and I
> see the following there:
>
> workingexample.email. 38400 *IN NSEC* _dmarc.workingexample.email. A NS
> SOA MX TXT AAAA SSHFP RRSIG NSEC DNSKEY SPF
>
> workingexample.email. *IN DNSKEY* 257 3 8 AwEAAeLetJzQo74Zi/
> qXJjF4JoF37qu0rXTWQzn7yUC058w76SrPVV4a hZIPI9oBNcWn5yeP6qR/
> bIkBM1OKfP0qGgLRyLAZPdsB36q1BnEfLrbi trZmlGY8+AnUxjpPbEscT/
> g47UJiN9exBs0wAPdwwTRypYwBOVzP7cRP TiPf0QlMslMrgd9lpFhFQblj97sZiVTZCyJM2FhKo3bdwDpde6fkJV0I
> Ilrj3X47hJMFwW3UbA+H8UE/8jWrhrmSPi5b/uxbMY9qkOeaFm/LexC6
> tr89pCesYrnIqceQTsvJl7+HOB1WNzW4vkC0idzo1kq65Woo8FOvzM7x HukCPrlyWvc=
>
> workingexample.email. *IN DNSKEY* 256 3 8 AwEAAbCKGjHIFvhlPpVeReXSDymlwlyeHwejRF0vBp7GTdFv2qCRI1Wc
> 9GDhVuUWmBv9gxynqQgf4K460RMia1ElZjOFQUZwB4i/OgvfAedEdjov r+
> G7fHt45FShmR5WLuPOP1EGvJAki18rJgZL99PY4bAqq+s7Ut/SCmAs
> gKsy1WkL0cfEyl4qWPDv5YRbM4NBCZUZfO7nzmjuvIY+rlGEC00=
>
> So, it would appear that no 'IN NSEC' or 'IN NSEC3PARAM' is being added
> when the 'example.co.uk' is signed.
>
> As far as I can tell no error was reported during the signing process for
> example.co.uk  - do you have any suggestions as to what might stop the
> signing tool from adding the 'IN NSEC' or 'IN NSEC3PARAM' records ?
>
> Jay
>
> On 30 March 2017 at 23:02, Mark Andrews <marka at isc.org> wrote:
>
>>
>> In message <CAB=ej3rXb-+UkwyT8RoURszF70Gi76ksj7Uk6uuvqF5pUG3Dwg at mail.
>> gmail.com>, J T writ
>> es:
>> > Hi,
>> >
>> > I have 5 signed zones ( 2 x .email, 2 x .com and 1 x .co.uk ).
>> >
>> > I used Webmin to do the heavy lifting of signing/resigning etc.
>> >
>> > Only 2 of the 5 zones are recognised as (DNSSEC Signed) by BIND on
>> > restart/zone application and that fact is reported in the system logs.
>> >
>> > I’m trying to work out why 3 are failing to be recognised as Signed.
>> >
>> > No errors are reported as part of the signing process. The zonefiles
>> > appear to have loads of DNSSEC related resource records.
>> >
>> > e.g.
>> >
>> >    - RRSIG (digital signature)
>> >    - DNSKEY (public key)
>> >    - DS (parent-child)
>> >    - NSEC (proof of nonexistence)
>> >    - NSEC3 (proof of nonexistence)
>> >    - NSEC3PARAM (proof of nonexistence)
>> >
>> > and the parent registrar has had DS records added.
>> >
>> > As bind is not flagging the zone as signed its not returning RRSIGs in
>> the
>> > Answer section of a query ( although they are provided in the Additional
>> > section ).
>> >
>> > I’m not really sure what the criteria is for bind to decide a zone is
>> > signed.
>>
>> For a zone to be treated as secure (signed) there needs to be a
>> NSEC record at the zone apex or a NSEC3PARAM record at the zone
>> apex.  There also needs to be a DNSKEY RRset containing a zone key.
>>
>> While named is in the process of signing a zone initially these
>> conditions are not met.  The last stage of initial signing is to
>> add the NSEC record to the apex or to add the NSEC3PARAM record.
>>
>> The first stage of going insecure is to remove the NSEC/NSEC3PARAM
>> record at the zone apex.
>>
>> > The same process is being used to sign/resign the 5 zones but only 2 are
>> > flagged as signed.
>> >
>> > Any tips on how to debug this would be appreciated.
>> >
>> > Thanks,
>> >
>> > Jay
>>
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20170331/853a13cc/attachment.html>

More information about the bind-users mailing list