DNSSEC and NSEC missing ZSK?
@lbutlr
kremels at kreme.com
Mon Feb 8 18:10:19 UTC 2021
> On 08 Feb 2021, at 07:24, Matthijs Mekking <matthijs at isc.org> wrote:
>
> Hi,
>
> On 08-02-2021 12:20, @lbutlr wrote:
>> I feel I am getting close. I got the digest generated for hover.com and updated the DNS on the test zone, but I am getting errors on verify that I don't understand.
>> #v+
>> # dnssec-verify -I text -o example.com /etc/namedb/working/example.com.signed
>> Loading zone 'example.com' from file '/etc/namedb/working/example.com.signed'
>> Verifying the zone using the following algorithms:
>> - ECDSAP256SHA256
>> Missing ZSK for algorithm ECDSAP256SHA256
>> Missing NSEC record for blog.example.com
>> Missing NSEC record for wiki.example.com
>> Missing NSEC record for foobar.example.com
>> Missing NSEC record for barfoo.example.com
>> The zone is not fully signed for the following algorithms:
>> vECDSAP256SHA256
>> .
>> DNSSEC completeness test failed.NSSEC completeness test failed.
>> #v-
>> The missing ZSK is throwing me, and I don't know what to add to my zone record for NSEC. I am following along (trying) with https://bind9.readthedocs.io/en/latest/dnssec-guide.html which makes no mention of this, but shows NSEC showing up in the output of the signed file.
>
> Use dnssec-verify -z to indicate that the ZSK may be the same key as the KSK.
Thanks, so that is sorted.
> The missing NSEC records are more worrisome.
Oddly, some of the NSEC entries are in the signed zone file (well, I assume that is what this means):
NSEC blog.example.com. A NS SOA MX TXT RRSIG NSEC DNSKEY CDS CDNSKEY TYPE65534
RRSIG NSEC 13 2 3600
NSEC wiki.example.com. CNAME RRSIG NSEC
RRSIG NSEC 13 3 3600 (
)all the subdomains are CNAME
And some other occurrences of NSEC, but not the home and foobar or barfoo.
>> #v-
>> Is there a way to force rndc/bind to recreate the .signed file? If I move it aside and restart named or rndc reload or rndc reconfig, the signed zone file is not recreated.
>
>
> rndc sign zone
That recreates the .signed.jnl and not the .signed file. No errors are reported.
--
How you have felt, o men of Athens, at hearing the speeches of my
accusers, I cannot tell; but I know that their persuasive words
almost made me forget who I was, such was the effect of the,; and
yet they have hardly spoken a word of truth.
More information about the bind-users
mailing list