Inline signing fails dnsviz test - STILL [LONG]
Dan Egli
dan at newideatest.site
Sun May 16 00:17:31 UTC 2021
On 5/10/2021 12:38 PM, Tony Finch wrote:
> Dan Egli <dan at newideatest.site> wrote:
>> Still not working for me. The dig doesn't report anything, and I don't HAVE a
>> keyfile since i'm using inline signing. Or does inline signing still require a
>> key to be generated?
> Yes, you need to do your own key management with inline-signing using
> dnssec-keygen. The new dnssec-policy feature can do automatic key
> management for you.
>
> Tony.
So, I updated the settings. Now I have keyfiles generated by bind, as
well as a binary .zone.signed in addition to the plain text .zone which
has no DNSSEC information at all in it. I ran the signing routine and
bind said it was signed good. So I obtained the DS and put in the
registrar. Now I am getting SERVFAIL errors whenever I try to query my
zone from another name server. Here's what I did:
#dig newideatest.site dnskey | dnssec-dsfromkey -2 -f - newideatest.site
newideatest.site. IN DS 49236 13 2 <LONG HASH>
Ok. Copy the long hash to the Registrar, plug it in. Check, done that.
# dig mx newideatest.site @8.8.4.4
; <<>> DiG 9.16.15 <<>> mx newideatest.site @8.8.4.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 631
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;newideatest.site. IN MX
;; Query time: 50 msec
;; SERVER: 8.8.4.4#53(8.8.4.4)
;; WHEN: Sat May 15 18:12:44 MDT 2021
;; MSG SIZE rcvd: 45
ServFail?! WHAT? So I go to DNSVIZ and run their test.
Errors (9)
* newideatest.site/A: No RRSIG covering the RRset was returned in the
response. (31.220.30.73, 45.77.29.133, 103.6.87.125, 119.252.20.56,
2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5,
2403:2500:4000::f3e, 2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN)
* newideatest.site/AAAA: No RRSIG covering the RRset was returned in
the response. (31.220.30.73, 45.77.29.133, 103.6.87.125,
119.252.20.56, 2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5,
2403:2500:4000::f3e, 2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN)
* newideatest.site/DNSKEY (alg 13, id 49236): No RRSIG covering the
RRset was returned in the response. (31.220.30.73, 45.77.29.133,
103.6.87.125, 119.252.20.56, 2001:19f0:7001:381::3,
2401:1400:1:1201:0:1:7853:1a5, 2403:2500:4000::f3e,
2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN, UDP_-_EDNS0_512_D_KN)
* newideatest.site/MX: No RRSIG covering the RRset was returned in the
response. (31.220.30.73, 45.77.29.133, 103.6.87.125, 119.252.20.56,
2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5,
2403:2500:4000::f3e, 2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN,
UDP_-_EDNS0_512_D_KN)
* newideatest.site/NS: No RRSIG covering the RRset was returned in the
response. (31.220.30.73, 45.77.29.133, 103.6.87.125, 119.252.20.56,
2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5,
2403:2500:4000::f3e, 2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN)
* newideatest.site/SOA: No RRSIG covering the RRset was returned in
the response. (31.220.30.73, 45.77.29.133, 103.6.87.125,
119.252.20.56, 2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5,
2403:2500:4000::f3e, 2a04:bdc7:100:1b::3, TCP_-_EDNS0_4096_D_N,
UDP_-_EDNS0_4096_D_KN, UDP_-_EDNS0_4096_D_KN_0x20)
* newideatest.site/TXT: No RRSIG covering the RRset was returned in
the response. (31.220.30.73, 45.77.29.133, 103.6.87.125,
119.252.20.56, 2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5,
2403:2500:4000::f3e, 2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN)
* site to newideatest.site: No valid RRSIGs made by a key
corresponding to a DS RR were found covering the DNSKEY RRset,
resulting in no secure entry point (SEP) into the zone.
(31.220.30.73, 45.77.29.133, 103.6.87.125, 119.252.20.56,
2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5,
2403:2500:4000::f3e, 2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN,
UDP_-_EDNS0_512_D_KN)
* site to newideatest.site: The DS RRset for the zone included
algorithm 13 (ECDSAP256SHA256), but no DS RR matched a DNSKEY with
algorithm 13 that signs the zone's DNSKEY RRset. (31.220.30.73,
45.77.29.133, 103.6.87.125, 119.252.20.56, 2001:19f0:7001:381::3,
2401:1400:1:1201:0:1:7853:1a5, 2403:2500:4000::f3e,
2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN, UDP_-_EDNS0_512_D_KN)
Warnings (13)
* newideatest.site/A: The server responded with no OPT record, rather
than with RCODE FORMERR. (31.220.30.73, 45.77.29.133, 103.6.87.125,
119.252.20.56, 2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5,
2403:2500:4000::f3e, 2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN)
* newideatest.site/AAAA: The server responded with no OPT record,
rather than with RCODE FORMERR. (31.220.30.73, 45.77.29.133,
103.6.87.125, 119.252.20.56, 2001:19f0:7001:381::3,
2401:1400:1:1201:0:1:7853:1a5, 2403:2500:4000::f3e,
2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN)
* newideatest.site/DNSKEY (alg 13, id 49236): The server responded
with no OPT record, rather than with RCODE FORMERR. (31.220.30.73,
45.77.29.133, 103.6.87.125, 119.252.20.56, 2001:19f0:7001:381::3,
2401:1400:1:1201:0:1:7853:1a5, 2403:2500:4000::f3e,
2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN, UDP_-_EDNS0_512_D_KN)
* newideatest.site/MX: The server responded with no OPT record, rather
than with RCODE FORMERR. (31.220.30.73, 45.77.29.133, 103.6.87.125,
119.252.20.56, 2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5,
2403:2500:4000::f3e, 2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN,
UDP_-_EDNS0_512_D_KN)
* newideatest.site/NS: The server responded with no OPT record, rather
than with RCODE FORMERR. (31.220.30.73, 45.77.29.133, 103.6.87.125,
119.252.20.56, 2001:19f0:7001:381::3, 2401:1400:1:1201:0:1:7853:1a5,
2403:2500:4000::f3e, 2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN)
* newideatest.site/SOA: The server responded with no OPT record,
rather than with RCODE FORMERR. (31.220.30.73, 45.77.29.133,
103.6.87.125, 119.252.20.56, 2001:19f0:7001:381::3,
2401:1400:1:1201:0:1:7853:1a5, 2403:2500:4000::f3e,
2a04:bdc7:100:1b::3, TCP_-_EDNS0_4096_D_N, UDP_-_EDNS0_4096_D_KN,
UDP_-_EDNS0_4096_D_KN_0x20)
* newideatest.site/TXT: The server responded with no OPT record,
rather than with RCODE FORMERR. (31.220.30.73, 45.77.29.133,
103.6.87.125, 119.252.20.56, 2001:19f0:7001:381::3,
2401:1400:1:1201:0:1:7853:1a5, 2403:2500:4000::f3e,
2a04:bdc7:100:1b::3, UDP_-_EDNS0_4096_D_KN)
* site to newideatest.site: The following NS name(s) were found in the
authoritative NS RRset, but not in the delegation NS RRset (i.e., in
the site zone): jupiter.newideatest.site
* site to newideatest.site: The following NS name(s) were found in the
delegation NS RRset (i.e., in the site zone), but not in the
authoritative NS RRset: jupiter.eglifamily.name
* site/DS (alg 8, id 51676): DNSSEC specification prohibits signing
with DS records that use digest algorithm 1 (SHA-1).
* site/DS (alg 8, id 51676): DNSSEC specification prohibits signing
with DS records that use digest algorithm 1 (SHA-1).
* site/DS (alg 8, id 51676): DS records with digest type 1 (SHA-1) are
ignored when DS records with digest type 2 (SHA-256) exist in the
same RRset.
* site/DS (alg 8, id 51676): DS records with digest type 1 (SHA-1) are
ignored when DS records with digest type 2 (SHA-256) exist in the
same RRset.
So, what am I doing wrong? Here's the zone statement for the
newideatest.site zone in my named.conf:
zone "newideatest.site" {
type master;
file "pri/newideatest.zone";
allow-query { any; };
allow-transfer {
108.61.224.67; 116.203.6.3; 107.191.99.111;
185.22.172.112; 103.6.87.125; 192.184.93.99; 119.252.20.56;
31.220.30.73; 185.34.136.178; 185.136.176.247; 45.77.29.133;
116.203.0.64; 167.88.161.228; 199.195.249.208; 104.244.78.122;
2605:6400:30:fd6e::3; 2605:6400:10:65::3; 2605:6400:20:d5e::3;
2a01:4f8:1c0c:8122::3; 2001:19f0:7001:381::3; 2a06:fdc0:fade:2f7::1;
2a00:dcc7:d3ff:88b2::1; 2a04:bdc7:100:1b::3;
2401:1400:1:1201::1:7853:1a5; 2604:180:1:92a::3; 2403:2500:4000::f3e;
2a00:1838:20:2::cd5e:68e9; 2604:180:2:4cf::3; 2a01:4f8:1c0c:8115::3;
2001:19f0:6400:8642::3;
};
allow-update { trusted; };
key-directory "/var/bind/pri/keys";
inline-signing yes;
dnssec-policy default;
};
};
Help? If you have errors reaching me, try dan at eglifamily.name, as it
doesn't seem to be having issues.
--Dan Egli
From my Test Server
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210515/5035880b/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x11B7451DF2015959.asc
Type: application/pgp-keys
Size: 3792 bytes
Desc: OpenPGP public key
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210515/5035880b/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210515/5035880b/attachment-0003.bin>
More information about the bind-users
mailing list