dnssec KSK rollover
Tony Finch
dot at dotat.at
Thu Aug 23 13:01:05 UTC 2018
project722 <project722 at gmail.com> wrote:
>
> 1) I am still seeing the "no valid signature found" messages in my
> bind.log.
> ;; validating ncentral.teklinks.com/A: no valid signature found
In this case that's because ncentral.teklinks.com is signed but there's no
DS in the parent zone, so it's insecure. If you run delv +vtrace you'll
see a lot of verbiage between these lines which is the major clue.
;; validating teklinks.com/DS: attempting negative response validation
;; validating teklinks.com/DS: nonexistence proof(s) found
Or you can look at dnsviz.net :-)
> 2) There is one other scenario that confuses me. When I test against a URL
> that's purposely setup to fail dnssec, I get a servfail.
dnssec-failed.org has DS records, so it should be secure, but the DS
records in the parent don't match the DNSKEY records in the child zone.
You can see this by comparing:
$ dig +noall +answer dnssec-failed.org ds
$ dig +cd dnssec-failed.org dnskey |
dnssec-dsfromkey -f /dev/stdin dnssec-failed.org
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
protect and enlarge the conditions of liberty and social justice
More information about the bind-users
mailing list