dnssec KSK rollover
project722
project722 at gmail.com
Thu Aug 23 14:43:15 UTC 2018
Thanks Tony! This was very helpful.
On Thu, Aug 23, 2018 at 8:01 AM Tony Finch <dot at dotat.at> wrote:
> project722 <project722 at gmail.com> wrote:
> >
> > 1) I am still seeing the "no valid signature found" messages in my
> > bind.log.
>
> > ;; validating ncentral.teklinks.com/A: no valid signature found
>
> In this case that's because ncentral.teklinks.com is signed but there's no
> DS in the parent zone, so it's insecure. If you run delv +vtrace you'll
> see a lot of verbiage between these lines which is the major clue.
>
> ;; validating teklinks.com/DS: attempting negative response validation
>
> ;; validating teklinks.com/DS: nonexistence proof(s) found
>
> Or you can look at dnsviz.net :-)
>
> > 2) There is one other scenario that confuses me. When I test against a
> URL
> > that's purposely setup to fail dnssec, I get a servfail.
>
> dnssec-failed.org has DS records, so it should be secure, but the DS
> records in the parent don't match the DNSKEY records in the child zone.
> You can see this by comparing:
>
> $ dig +noall +answer dnssec-failed.org ds
>
> $ dig +cd dnssec-failed.org dnskey |
> dnssec-dsfromkey -f /dev/stdin dnssec-failed.org
>
> Tony.
> --
> f.anthony.n.finch <dot at dotat.at> http://dotat.at/
> protect and enlarge the conditions of liberty and social justice
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180823/cf9f8b4a/attachment-0001.html>
More information about the bind-users
mailing list