Zones not being recognised as Signed

J T jt4websites at gmail.com
Thu Mar 30 23:39:06 UTC 2017 

Hi Mark,

I think I found the problem. Seems Webmins code for handling the signing
was't dealing with NSEC3PARAM records properly. Essentially when merging
the signed records back in to the original host file it was only putting
NSEC, NSEC3 and RRSIG. It wasnt handling NSEC3PARAM at all. The zones that
were "working" were using a different algorithm and so it didn't mismanage
those.

Sorry for troubling you. However your information did help me locate the
problem.

Thanks

Jay

On 31 March 2017 at 00:17, J T <jt4websites at gmail.com> wrote:

> Please ignore the * in the copy pasted records. It seems the list converts
> color text to be *TEXT* hehe
>
> On 31 March 2017 at 00:11, J T <jt4websites at gmail.com> wrote:
>
>> Hi Mark,
>>
>> Thank you for responding. What do you mean by zone apex?
>>
>> If we assume one of the domains that fails to be seen as signed is "
>> example.co.uk" then would the apex be the domain name with no prefixes ?
>>
>> I've changed the domain name but this is part of what I have in my signed
>> zone file for one of the zones that fails to be recognised as signed (
>> after the signing process).
>>
>> example.co.uk. IN RRSIG *NSEC*3PARAM 7 3 0 20170429213251 20170330213251
>> 39233 example.co.uk.  T1VK1lrlk+4++3Nr7WlS3CeJISCPofUuo799
>> S8wKrLG5UngbzRty1DQ2q6uPkiIVoqtuZJdd IklQIZxrCXt1NGSq8yQ4sNodVHMH90dvYQtY
>> UkViTVIqX15bcY/rLIwOXjrkfz6BB9oavzPZ cuycGR0zd76sgslFJNAZt8hv7XhXxnP94Ke7
>> VkxCsdpIT98WMrk6eBEtL76VTm855O2X/lw2 yQdLerE578rZSmOc4K6NKxqeAwVN9ktB9DnK
>> ugTJmZVIeF/IPcJzeOpNUHA8QkS/dbNqZ5Po 6CIpTzHospp6xHyBJ8V8GK5PSNLtiPaIHIkE
>> 0C1LgiBLv7e4Hiejq2ZOrIiJAtMILiT95YcT n5LJaQkSsbNlS96nSmyE49iUMM4lWwOji3HG
>> +oLdGdRSwO+1ySyN4XyY2yIfAF+8oKsjHLyJ zeMhRqHI3kE0+zbtsw7sjQveNzpCxW7reIa+
>> XlDjX1SkYXucG/f7BPxYSBCf4Qf0wZgGFC9h oSPZFNsIpDYJnG3kiwPdXr5dDwKJyhX2iBQT
>> jb9omapnn6YBSN0xNnFwBZ5UqBNAkuOH4jQA CXSQW390CoKPt/gCQfdMkEEFd7dgsLeBQI36
>> ABsH1DQtxFqCjCdGK5gFmeKNGvzJPnNlT+++ Xy8VoMXX7xlM4qkSDwRjee8hT3s9ObLxWKI=
>>
>> and
>>
>> example.co.uk.   IN      DNSKEY  257 3 7 AwEAAbZFkjq1Q+7Z67VNF3DkvwZTFFK+sgM+2H+xFqkpyeHQoLmsSAWj
>> BoulxcEIVenvY/X8fFvHk4yemA0z9DWpVEL9//zGtIVInJqRzzVlx7QQ
>> RWDuYqya+U6YpzYkYX0DspOyzFFswtMclF0ktmFB7XOSEmy70OfJL4Oy
>> p4GI5wT8M26bQmDQ6w+UcHUO7M8ciF6qJ5JP68O34BlmUq7gGm1DlqVK
>> o1puldx22djX8GqvqhJjPaV5OHOXn4C5axR0IXiz9C39t1mjAkfxlHJW
>> kshl+ENmdyyI6hw1vOqLHRmGlDQnL2wdvwerYGfLUAAEYx7+n9v+Ubec
>> J83SBt90g5OGyT0JH2BTe5IaQeU8+OwQ97P0dRc3yIbGI9e0RSQuE1Zy
>> 0YUHsIiHpTXrr16vBV97FPLzKGxV0i7AM15JoSCauUyr0DNA391pxVDd
>> HOeyqpxxV69jNWKcdPV7KJFBSEGI3Uthp8uzNRepdJolg0qxNZy8n5tx
>> 4sWIGAF2pqLFPZDLPa6yrFazq85JwhYmeqtiR1YXdsxHnR+My714mApl
>> TiUD4EPP2ylbXeKvsOEWU0NwoAXf92uaSj9C8hH/JIboPDSk1/Y6uv5l
>> YufyA6f3UFbZPAeqlp2OifE9t0nCqfi43Od70qyvPULqo7S7gtpq6nWA fqSDCTGxBwOVthD9
>>
>> example.co.uk.   IN      DNSKEY  256 3 7 AwEAAcqXsmOpeTwLI6ikMgz8JZWddUaKjcX+BpCtbkB9pmngl2JugzoQ
>> iW+NGcYgLjKkpPHxsHDPBBbfrFTy0l+htYyi6tudAjlNOju+tvMDB4VC
>> 86aC100XcSF/h1eSqPxPZz4CjdeBI8x/ahbh7bKHILnokb2mK9CLpZ2w
>> j4UbCkXu8Of3WWamU3uAEnQ6Lm1xZ8HHxf86S5ev0e+bSm+JTkJVdk12
>> 8iIBu6t9lWpYeSemtxHfLhK0Pm1evnHFpr17Sk9/yt5gUZkTd0d9nazT
>> GsUNjbgdyr943K05wAs5EEgqEIp5eI9zcJ1QeeXBG+co5grBa6Leq3Pm
>> zcqxwtzuB2VDRKr9P34tT5n5OY2jg+B98ERd3TiLJTF+wd5Pa5n+lVXt
>> nkAODvfYv+xlEgUqfnIxEfNc7aQKXwWaLBW1Hx25aobsXJ+vrdhE+sqd
>> Jbzjr8p+EG8ZS8gJ9c4B+snMOYwns7hVAATX/3K3XwJUcdGQoynm20iV
>> acDErzZRzHqW+XNtU5EnBjpdzK+Lz0wH63yXRIOd09ap6XACkRH1ApNo
>> syOFdEVwEgTJEPvavu6FH6YR6iHmVR+YqblSBOCP5jfdIVmHm+MfihJs
>> 3whGNAo9XPFEYg+M6vJ8e04zMD17mWL4w/lilhLy1CbuzU2Bw1yniFRI P9mvO7K0z/mrPxWn
>>
>> I compared it with the one of the zones that is recognised as signed and
>> I see the following there:
>>
>> workingexample.email. 38400 *IN NSEC* _dmarc.workingexample.email. A NS
>> SOA MX TXT AAAA SSHFP RRSIG NSEC DNSKEY SPF
>>
>> workingexample.email. *IN DNSKEY* 257 3 8 AwEAAeLetJzQo74Zi/qXJjF4JoF37qu0rXTWQzn7yUC058w76SrPVV4a
>> hZIPI9oBNcWn5yeP6qR/bIkBM1OKfP0qGgLRyLAZPdsB36q1BnEfLrbi
>> trZmlGY8+AnUxjpPbEscT/g47UJiN9exBs0wAPdwwTRypYwBOVzP7cRP
>> TiPf0QlMslMrgd9lpFhFQblj97sZiVTZCyJM2FhKo3bdwDpde6fkJV0I
>> Ilrj3X47hJMFwW3UbA+H8UE/8jWrhrmSPi5b/uxbMY9qkOeaFm/LexC6
>> tr89pCesYrnIqceQTsvJl7+HOB1WNzW4vkC0idzo1kq65Woo8FOvzM7x HukCPrlyWvc=
>>
>> workingexample.email. *IN DNSKEY* 256 3 8 AwEAAbCKGjHIFvhlPpVeReXSDymlwlyeHwejRF0vBp7GTdFv2qCRI1Wc
>> 9GDhVuUWmBv9gxynqQgf4K460RMia1ElZjOFQUZwB4i/OgvfAedEdjov
>> r+G7fHt45FShmR5WLuPOP1EGvJAki18rJgZL99PY4bAqq+s7Ut/SCmAs
>> gKsy1WkL0cfEyl4qWPDv5YRbM4NBCZUZfO7nzmjuvIY+rlGEC00=
>>
>> So, it would appear that no 'IN NSEC' or 'IN NSEC3PARAM' is being added
>> when the 'example.co.uk' is signed.
>>
>> As far as I can tell no error was reported during the signing process for
>> example.co.uk  - do you have any suggestions as to what might stop the
>> signing tool from adding the 'IN NSEC' or 'IN NSEC3PARAM' records ?
>>
>> Jay
>>
>> On 30 March 2017 at 23:02, Mark Andrews <marka at isc.org> wrote:
>>
>>>
>>> In message <CAB=ej3rXb-+UkwyT8RoURszF70Gi76ksj7Uk6uuvqF5pUG3Dwg at mail.gm
>>> ail.com>, J T writ
>>> es:
>>> > Hi,
>>> >
>>> > I have 5 signed zones ( 2 x .email, 2 x .com and 1 x .co.uk ).
>>> >
>>> > I used Webmin to do the heavy lifting of signing/resigning etc.
>>> >
>>> > Only 2 of the 5 zones are recognised as (DNSSEC Signed) by BIND on
>>> > restart/zone application and that fact is reported in the system logs.
>>> >
>>> > I’m trying to work out why 3 are failing to be recognised as Signed.
>>> >
>>> > No errors are reported as part of the signing process. The zonefiles
>>> > appear to have loads of DNSSEC related resource records.
>>> >
>>> > e.g.
>>> >
>>> >    - RRSIG (digital signature)
>>> >    - DNSKEY (public key)
>>> >    - DS (parent-child)
>>> >    - NSEC (proof of nonexistence)
>>> >    - NSEC3 (proof of nonexistence)
>>> >    - NSEC3PARAM (proof of nonexistence)
>>> >
>>> > and the parent registrar has had DS records added.
>>> >
>>> > As bind is not flagging the zone as signed its not returning RRSIGs in
>>> the
>>> > Answer section of a query ( although they are provided in the
>>> Additional
>>> > section ).
>>> >
>>> > I’m not really sure what the criteria is for bind to decide a zone is
>>> > signed.
>>>
>>> For a zone to be treated as secure (signed) there needs to be a
>>> NSEC record at the zone apex or a NSEC3PARAM record at the zone
>>> apex.  There also needs to be a DNSKEY RRset containing a zone key.
>>>
>>> While named is in the process of signing a zone initially these
>>> conditions are not met.  The last stage of initial signing is to
>>> add the NSEC record to the apex or to add the NSEC3PARAM record.
>>>
>>> The first stage of going insecure is to remove the NSEC/NSEC3PARAM
>>> record at the zone apex.
>>>
>>> > The same process is being used to sign/resign the 5 zones but only 2
>>> are
>>> > flagged as signed.
>>> >
>>> > Any tips on how to debug this would be appreciated.
>>> >
>>> > Thanks,
>>> >
>>> > Jay
>>>
>>> --
>>> Mark Andrews, ISC
>>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>>> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20170331/2f5df34e/attachment-0001.html>

More information about the bind-users mailing list