DNSSEC ISSUE (Msg: Request is not signed)
Lulu
neoequal at gmail.com
Tue Jul 10 05:55:03 UTC 2007
Hi all,
I am a new user of BIND9 and tried to test all the features of
DNS.
I usually do all the test in an internal LAN setup like I have a
primary name server.
One slave and some resolvers.. (Please bear with this long post)
But while testing DNSSEC functioning, I am facing a problem. I
have configured the dnssec
according to the book "DNS and BIND By Cricket Liu and Paul".
Whenever I do a "nsupdate"
or "dig +dnssec <host-name>" I am seeing a message "Request is
not signed" logged to my
dnssec category log file. The severity I have mentioned is
"Dynamic". But dig or nsupdate
could able to perform as it is expected like dig resolving the IP
address and nsupdating the
signed zone datbase file.
Additionally another confusion in the output I am seeing is there
is no "ad" flag set in the out
put returned by dig. All other flag set in output are "qr aa rd
ra". Again none of the output of dig
mentioned in the book has ad flag set even though the book is
saying that a set ad flag output
ensures data sent is authenticated and conatin proper signature.
I haven't used dsset or keyset file rather I have used trusted-key
statement inside my
named.conf file. Which I guess a substitute if one doesn't want to
use dsset or keyset.
So I read the man page of dig and invoked the command with some
addtional options like
"+sigchase +trusted-key <key-file-name> +topdown".
Here in this case the output is verifying all the DNSSECKEY
record and
showing success but still the "Request is not signed" msg is
logged. I am pasting the output
of dig when tried with +dnssec only. I am issuing dig from the
same primary name server.
Primary Name server = 131.222.32.229 === bigb.actor.com
==================================
../bin/dig +dnssec
cris.actor.com
==================================
; <<>> DiG 9.4.1 <<>> +dnssec cris.actor.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1572
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL:
3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;cris.actor.com. IN A
;; ANSWER SECTION:
cris.actor.com. 7200 IN A 131.222.32.246
cris.actor.com. 7200 IN RRSIG A 5 3 7200
20070801230207 20070702230207 64167 actor.com. BxCEh/
ftHHJE9l4cIaGJx4JNrbB1C5CWPXQVh3fIDujQjlnoMMJNQrrV /
jw6Rrm7VUqaMsnTtQDA/ycM1bZaEA==
;; AUTHORITY SECTION:
actor.com. 3600 IN NS elektron.actor.com.
actor.com. 3600 IN NS bigb.actor.com.
actor.com. 3600 IN RRSIG NS 5 2 3600
20070801230207 20070702230207 64167 actor.com. NLFW7uwGS/
XHJj6WGyBr1K2PMHiNh1uLvM3zi+P8LZk45u8sWLkgASny iTQp3iv/
+AC4136QTvV8YkdOxxWp4w==
;; ADDITIONAL SECTION:
bigb.actor.com. 3600 IN A 131.222.32.229
bigb.actor.com. 3600 IN RRSIG A 5 3 3600
20070801230207 20070702230207 64167 actor.com.
WrkcKW3AeJCLADAqkdcnhiKB5YpzcH4NADy9NIyqTUCb3yUQ3t+kDk4I
Do301LBVgREpEVYzm30zvd31CRndGw==
;; Query time: 0 msec
;; SERVER: 131.222.32.229#53(131.222.32.229)
;; WHEN: Tue Jul 10 12:45:31 2007
;; MSG SIZE rcvd: 432
============================================================
Below is the output of log file :
============================================================
client 131.222.32.229#1099: UDP request
client 131.222.32.229#1099: using view '_default'
client 131.222.32.229#1099: request is not signed
client 131.222.32.229#1099: recursion available
client 131.222.32.229#1099: query
client 131.222.32.229#1099: query: cris.actor.com IN A +E
client 131.222.32.229#1099: query 'cris.actor.com/A/IN' approved
client 131.222.32.229#1099: send
client 131.222.32.229#1099: sendto
client 131.222.32.229#1099: senddone
client 131.222.32.229#1099: next
client 131.222.32.229#1099: endrequest
client @824c928: udprecv
These are other files I am pasting like named.conf and
db.actor.signed.
===============================================
NAMED.CONF
===============================================
options {
directory "/usr/local/named";
dnssec-enable yes;
};
acl updater {
131.222.32.235;
131.222.32.229;
};
key "rndc-key" {
algorithm hmac-md5;
secret "8wWlDSawWTujyNXRONzOBA==";
};
logging {
channel my_syslog {
syslog daemon;
severity info;
};
channel log_file {
file "log.msgs" ;
severity dynamic;
};
category default { null; };
category database { log_file; };
category security { log_file; };
category queries { log_file; };
category client { log_file; };
category update { log_file; };
category notify { log_file; };
category xfer-out { log_file; };
category resolver { log_file; };
};
zone "actor.com." in {
type master;
file "db.actor.signed"; /* refering the signed file for
furthur opration*/
allow-update { updater; };
};
zone "32.222.131.in-addr.arpa" {
type master;
file "actor.131.222.32";
};
zone "." in {
type hint;
file "db.cache";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "db.127.0.0";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; updater ; } keys { "rndc-key"; };
inet 131.222.32.229 allow { 131.222.32.229; } keys { "rndc-
key"; };
};
trusted-keys {
actor.com. 257 3 5 "AwEAAckDHhV9X4/MsNBd/
CR1LnRqFkq2TDKd7VOdlhuOq6a8Hzo7
nXbZ 7C2eOQRy4MvzqqJ3xycY7UucUQYSiVW1Iyk=";
};
=============================================================
db.actor.signed Not the exact one, a sinipped one
=============================================================
$ORIGIN .
$TTL 3600 ; 1 hour
actor.com IN SOA bigb.actor.com. root.bigb.actor.com. (
2000050263 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
432000 ; expire (5 days)
86400 ; minimum (1 day)
)
RRSIG SOA 5 2 3600 20070809000919 (
20070709230919 64167 actor.com.
FjNzGdOAh0Tz5kD34Ym0QHyOypWmWyJ8/
HHOI7cHsW5D
N9icNbgoq7cdn1VgplLj5DbLoQA8N58FmbYDCz
+Bfw== )
RRSIG SOA 5 2 3600 20070809000919 (
20070709230919 64168 actor.com.
dSi+1v/
r3ct9x0Wc2bzwCf8txmprpLPTxWroAm1p9BWm
wH/1oH49hf
+wcp0nZZa9i1HmQVlMrF5yMHV7By5MlA== )
NS bigb.actor.com.
NS elektron.actor.com.
RRSIG NS 5 2 3600 20070801230207 (
20070702230207 64167 actor.com.
NLFW7uwGS/XHJj6WGyBr1K2PMHiNh1uLvM3zi
+P8LZk4
5u8sWLkgASnyiTQp3iv/
+AC4136QTvV8YkdOxxWp4w== )
$TTL 86400 ; 1 day
NSEC amir.actor.com. NS SOA RRSIG NSEC
DNSKEY
RRSIG NSEC 5 2 86400 20070801230207 (
20070702230207 64167 actor.com.
Ydy/+gP
+dPnDgV95UdW4IxKKNrg2TUn6pePryoAmbVlA
D5YDk9kHsS0GIWwtKihxnGMTWJ54xhbIPGwq6SJeag== )
$TTL 7200 ; 2 hours
DNSKEY 256 3 5 (
AwEAAckDHhV9X4/MsNBd/
CR1LnRqFkq2TDKd7VOdlhuO
q6a8Hzo7nXbZ7C2eOQRy4MvzqqJ3xycY7UucUQYSiVW1
Iyk=
) ; key id = 64167
DNSKEY 257 3 5 (
AwEAAckDHhV9X4/MsNBd/
CR1LnRqFkq2TDKd7VOdlhuO
q6a8Hzo7nXbZ7C2eOQRy4MvzqqJ3xycY7UucUQYSiVW1
Iyk=
) ; key id = 64168
RRSIG DNSKEY 5 2 7200 20070801230207 (
20070702230207 64167 actor.com.
OBmUX0yKFbLjNfOtqax1CWqTwUWBc2gOFPcYx4hQY8P6
qB2eoYrVTs5rEU0JaV4MN2Uc46VwQbxU32mpVMDjBQ== )
RRSIG DNSKEY 5 2 7200 20070801230207 (
20070702230207 64168 actor.com.
LWvIA4/
vhLfiepd0O2MnmL7hvREA97FVF17GxD5bAp/v
yfJD5G1PfC/x0EkJfNjZ+hJgijts0sSSQCNKg
+Wykw== )
$ORIGIN actor.com.
$TTL 3600 ; 1 hour
amir A 131.222.32.252
RRSIG A 5 3 3600 20070801230207 (
20070702230207 64167 actor.com.
CkddHJKInwu3i3FtXghuWFPNNfwOb8UCMCtVfTdX09Qf
.
.
.
.
$TTL 86400 ; 1 day
NSEC anand A RRSIG NSEC
RRSIG NSEC 5 3 86400 20070802010003 (
20070703000003 64167 actor.com.
T3C8xu1oHV0LDCNj1pRX3bYauM5CPCVHXo7ueW0CdkAc
fP2DGAzlIGLU/
TwJeQ2pBa95Fdqa9eo2sy1JV1u/NQ== )
RRSIG NSEC 5 3 86400 20070802010003 (
20070703000003 64168 actor.com.
dghVy1gzmcpEzGDRRryg8IrLzefwYl2r8w9ZPOiiHk0e
vo/
QL1k3xc6oKqBQOk6MOCx6onI8MgU3P7wGKHR2AA== )
$TTL 3600 ; 1 hour
anand A 131.222.32.201
RRSIG A 5 3 3600 20070802010003 (
20070703000003 64167 actor.com.
w12MHG6et4GqLkqpGqQQ3fwLgJ
+cmfeRqm5nc7QJQF6B
YZD1X9s3kmCwNT6iWviad/5NddmKOtT4yf/
JQGU9dg== )
RRSIG A 5 3 3600 20070802010003 (
20070703000003 64168 actor.com.
EBwuIEXg6zKlsWkWH1AB9T4l8IyxckbVVq4pNAHUqwLL
7LKfThAOYN93S4gbo0g/
nNdYPPvfHLXc6x6FGLun7Q== )
$TTL 86400 ; 1 day
NSEC bigb A RRSIG NSEC
RRSIG NSEC 5 3 86400 20070802010003 (
20070703000003 64167 actor.com.
gWmgiOaWPnrQPbhDYzgxA7LkqDXsKmqUDrx/
tlKfgbO9
bqBoAHIY3shnCV8m/4zWk/
mPZNVJUhfs38UvT8jkrA== )
RRSIG NSEC 5 3 86400 20070802010003 (
20070703000003 64168 actor.com.
hf1ABGBGkytVuuyWprvbs9FauCSe/
FCfBgyRQEqDCJWC
gAgWiZBu9m2NAkbmeqBwWEa2+ieBD3pJYngnozlsYQ== )
$TTL 3600 ; 1 hour
bigb A 131.222.32.229
RRSIG A 5 3 3600 20070801230207 (
20070702230207 64167 actor.com.
WrkcKW3AeJCLADAqkdcnhiKB5YpzcH4NADy9NIyqTUCb
3yUQ3t
+kDk4IDo301LBVgREpEVYzm30zvd31CRndGw== )
$TTL 86400 ; 1 day
NSEC casey A RRSIG NSEC
RRSIG NSEC 5 3 86400 20070801230207 (
20070702230207 64167 actor.com.
R7+pRLJCpj6ZTJDTbWuekLOfVcrhEplsblPTv4X
+qVa8
lHoxgCZOY1bROBZBF200bRy/VlcE9rC/
JSnVIfTjfA== )
$TTL 3600 ; 1 hour
casey A 153.64.251.247
RRSIG A 5 3 3600 20070801230207 (
20070702230207 64167 actor.com.
W4vr9u6DdaL04CmT2KY97NMdfps5kqkEiaRyTUrZg+iI
LgyNMC0BJMZtIy4475Cp1huCu+DmcEK/
dgtGRBIckQ== )
$TTL 86400 ; 1 day
.
.
.
.
.
Thanks for going through such long post......
Any type of suggestion is welcome...
Thanks and Regard
Das
More information about the bind-users
mailing list