dnssec KSK rollover
project722
project722 at gmail.com
Thu Aug 23 12:20:01 UTC 2018
Hi Tony,
I've removed the config for managed keys out of my named.conf, moved any
files called bind.keys out from my named working directory, and restarted
Bind. I see where Bind created to files - managed-keys.bind and
managed-keys.bind.jnl. So, I think I'm on the right track. That said, two
things:
1) I am still seeing the "no valid signature found" messages in my
bind.log. However, **I don't think* * this is a problem because when I
query a hostname against my server that produces one of these errors, it
still resolves. for instance,
# root at fccore 07:01:07 0 jobs ~ > delv @x.x.x.x ncentral.teklinks.com A
+multiline +rtrace
;; fetch: ncentral.teklinks.com/A
;; fetch: teklinks.com/DNSKEY
;; fetch: teklinks.com/DS
;; fetch: com/DNSKEY
;; fetch: com/DS
;; fetch: ./DNSKEY
;; fetch: teklinks.com.dlv.isc.org/DLV
;; fetch: dlv.isc.org/DNSKEY
;; validating ncentral.teklinks.com/A: no valid signature found
; unsigned answer
ncentral.teklinks.com. 2482 IN A 104.245.194.14
ncentral.teklinks.com. 2482 IN RRSIG A 5 3 43200 (
20180915012340 20180816012340 46266 teklinks.com.
k2Q0WFrwuC8ouvapXp8XIgTznwJ3VS1Ag+b8/8ajSKBe
6qLal+hYqc96WmIfYvz1fkM5Oze+WXZifeohO7ZEwlLn
8RJCXlGEEtgZ6Phr44fBbjHg7wAGxaG0KLw3JNJJVDWq
48/sB7Qftat8Hp1M/56qi6OjI22bbyBA8nYQ03kc84c6
MjCBSJfrum78AJXMFD69wXERDz6GCcaLgL3jJlIH9vZg
mB5EquQtZmxU/6izQJGqZs3Ht+3NkhcKYnqpRFyHrEmo
VPqiuEBmGhVyJJChLpbLvOwFvjTZEaedoMXv5pQ8Ys9d
sg4y1gokR+HXkeTKHr8RWayElh8gu5QKoQ== )
So, I can see here that it still resolves BUT something fails to validate a
signature. Where is the breakdown here? It was able to fetch the DHSKEY for
teklinks.com:
;; fetch: teklinks.com/DNSKEY
but not ncentral.teklinks.com:
;; validating ncentral.teklinks.com/A: no valid signature found
Shouldn't this validate? I mean, if teklinks.com can validate, shouldn't
the stub "ncentral" as well, since its in the zonefile? What am I missing
here?
2) There is one other scenario that confuses me. When I test against a URL
that's purposely setup to fail dnssec, I get a servfail.
root at fccore 07:14:57 0 jobs ~ > delv @x.x.x.x www.dnssec-failed.org A
+multiline +rtrace
;; fetch: www.dnssec-failed.org/A
;; resolution failed: SERVFAIL
So, what's the difference here and with the scenario above in #1? My
concern is that our customers will get servfails when they try to access
sites like this one.
On Thu, Aug 23, 2018 at 6:33 AM Tony Finch <dot at dotat.at> wrote:
> project722 <project722 at gmail.com> wrote:
> >
> > In my named.conf I changed:
> >
> > dnssec-validation yes;
> >
> > to
> >
> > dnssec-validation auto;
>
> Good :-)
>
> Next thing to do is delete all trace of managed-keys or mkeys files or
> trusted-keys configuration, then restart `named`. It will automatically
> create managed-keys files with the correct contents - it has the current
> root KSKs built in, so you don't need the bind.keys file.
>
> Tony.
> --
> f.anthony.n.finch <dot at dotat.at> http://dotat.at/
> South Fitzroy: Northerly or northeasterly 5 or 6. Slight or moderate.
> Occasional drizzle. Good, occasionally poor at first.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180823/661090ce/attachment.html>
More information about the bind-users
mailing list