DNSSEC ISSUE (Msg: Request is not signed)
Chris Buxton
cbuxton at menandmice.com
Fri Jul 13 19:58:21 UTC 2007
Since nobody else has answered, I'm going to take a stab at this.
It sounds like you're not using TSIG signatures in your requests,
thus causing the "request is not signed" messages. TSIG is a good
infrastructure element to use when deploying DNSSEC.
Regarding the AD flag, I can't say for sure of course, but it sounds
like dig simply doesn't display it. Try looking at raw packets; if
you look at the header in binary, is the AD flag set? I believe it's
around the 13th-15th bit of the DNS header - look online for a bit
map of the DNS header to get the exact location.
Chris Buxton
Men & Mice
On Jul 9, 2007, at 10:55 PM, Lulu wrote:
> Hi all,
> I am a new user of BIND9 and tried to test all the features of
> DNS.
> I usually do all the test in an internal LAN setup like I have a
> primary name server.
> One slave and some resolvers.. (Please bear with this long post)
>
> But while testing DNSSEC functioning, I am facing a problem. I
> have configured the dnssec
> according to the book "DNS and BIND By Cricket Liu and Paul".
> Whenever I do a "nsupdate"
> or "dig +dnssec <host-name>" I am seeing a message "Request is
> not signed" logged to my
> dnssec category log file. The severity I have mentioned is
> "Dynamic". But dig or nsupdate
> could able to perform as it is expected like dig resolving the IP
> address and nsupdating the
> signed zone datbase file.
>
> Additionally another confusion in the output I am seeing is there
> is no "ad" flag set in the out
> put returned by dig. All other flag set in output are "qr aa rd
> ra". Again none of the output of dig
> mentioned in the book has ad flag set even though the book is
> saying that a set ad flag output
> ensures data sent is authenticated and conatin proper signature.
>
> I haven't used dsset or keyset file rather I have used trusted-key
> statement inside my
> named.conf file. Which I guess a substitute if one doesn't want to
> use dsset or keyset.
>
> So I read the man page of dig and invoked the command with some
> addtional options like
> "+sigchase +trusted-key <key-file-name> +topdown".
> Here in this case the output is verifying all the DNSSECKEY
> record and
> showing success but still the "Request is not signed" msg is
> logged. I am pasting the output
> of dig when tried with +dnssec only. I am issuing dig from the
> same primary name server.
>
> Primary Name server = 131.222.32.229 === bigb.actor.com
>
> ==================================
> ../bin/dig +dnssec
> cris.actor.com
> ==================================
> ; <<>> DiG 9.4.1 <<>> +dnssec cris.actor.com
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1572
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL:
> 3
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;cris.actor.com. IN A
>
> ;; ANSWER SECTION:
> cris.actor.com. 7200 IN A 131.222.32.246
> cris.actor.com. 7200 IN RRSIG A 5 3 7200
> 20070801230207 20070702230207 64167 actor.com. BxCEh/
> ftHHJE9l4cIaGJx4JNrbB1C5CWPXQVh3fIDujQjlnoMMJNQrrV /
> jw6Rrm7VUqaMsnTtQDA/ycM1bZaEA==
>
> ;; AUTHORITY SECTION:
> actor.com. 3600 IN NS elektron.actor.com.
> actor.com. 3600 IN NS bigb.actor.com.
> actor.com. 3600 IN RRSIG NS 5 2 3600
> 20070801230207 20070702230207 64167 actor.com. NLFW7uwGS/
> XHJj6WGyBr1K2PMHiNh1uLvM3zi+P8LZk45u8sWLkgASny iTQp3iv/
> +AC4136QTvV8YkdOxxWp4w==
>
> ;; ADDITIONAL SECTION:
> bigb.actor.com. 3600 IN A 131.222.32.229
> bigb.actor.com. 3600 IN RRSIG A 5 3 3600
> 20070801230207 20070702230207 64167 actor.com.
> WrkcKW3AeJCLADAqkdcnhiKB5YpzcH4NADy9NIyqTUCb3yUQ3t+kDk4I
> Do301LBVgREpEVYzm30zvd31CRndGw==
>
> ;; Query time: 0 msec
> ;; SERVER: 131.222.32.229#53(131.222.32.229)
> ;; WHEN: Tue Jul 10 12:45:31 2007
> ;; MSG SIZE rcvd: 432
>
> ============================================================
> Below is the output of log file :
> ============================================================
> client 131.222.32.229#1099: UDP request
> client 131.222.32.229#1099: using view '_default'
>
> client 131.222.32.229#1099: request is not signed
>
> client 131.222.32.229#1099: recursion available
> client 131.222.32.229#1099: query
> client 131.222.32.229#1099: query: cris.actor.com IN A +E
> client 131.222.32.229#1099: query 'cris.actor.com/A/IN' approved
> client 131.222.32.229#1099: send
> client 131.222.32.229#1099: sendto
> client 131.222.32.229#1099: senddone
> client 131.222.32.229#1099: next
> client 131.222.32.229#1099: endrequest
> client @824c928: udprecv
>
> These are other files I am pasting like named.conf and
> db.actor.signed.
>
> ===============================================
> NAMED.CONF
> ===============================================
>
> options {
> directory "/usr/local/named";
> dnssec-enable yes;
> };
>
> acl updater {
> 131.222.32.235;
> 131.222.32.229;
> };
>
> key "rndc-key" {
> algorithm hmac-md5;
> secret "8wWlDSawWTujyNXRONzOBA==";
> };
>
> logging {
> channel my_syslog {
> syslog daemon;
> severity info;
> };
>
> channel log_file {
> file "log.msgs" ;
> severity dynamic;
> };
>
> category default { null; };
> category database { log_file; };
> category security { log_file; };
> category queries { log_file; };
> category client { log_file; };
> category update { log_file; };
> category notify { log_file; };
> category xfer-out { log_file; };
> category resolver { log_file; };
> };
>
> zone "actor.com." in {
> type master;
> file "db.actor.signed"; /* refering the signed file for
> furthur opration*/
> allow-update { updater; };
>
> };
>
> zone "32.222.131.in-addr.arpa" {
> type master;
> file "actor.131.222.32";
> };
>
> zone "." in {
> type hint;
> file "db.cache";
> };
>
> zone "0.0.127.in-addr.arpa" {
> type master;
> file "db.127.0.0";
> };
>
> controls {
> inet 127.0.0.1 port 953
> allow { 127.0.0.1; updater ; } keys { "rndc-key"; };
> inet 131.222.32.229 allow { 131.222.32.229; } keys { "rndc-
> key"; };
> };
>
> trusted-keys {
> actor.com. 257 3 5 "AwEAAckDHhV9X4/MsNBd/
> CR1LnRqFkq2TDKd7VOdlhuOq6a8Hzo7
> nXbZ 7C2eOQRy4MvzqqJ3xycY7UucUQYSiVW1Iyk=";
> };
>
>
> =============================================================
> db.actor.signed Not the exact one, a sinipped one
> =============================================================
> $ORIGIN .
> $TTL 3600 ; 1 hour
> actor.com IN SOA bigb.actor.com. root.bigb.actor.com. (
> 2000050263 ; serial
> 10800 ; refresh (3 hours)
> 3600 ; retry (1 hour)
> 432000 ; expire (5 days)
> 86400 ; minimum (1 day)
> )
> RRSIG SOA 5 2 3600 20070809000919 (
> 20070709230919 64167 actor.com.
> FjNzGdOAh0Tz5kD34Ym0QHyOypWmWyJ8/
> HHOI7cHsW5D
> N9icNbgoq7cdn1VgplLj5DbLoQA8N58FmbYDCz
> +Bfw== )
> RRSIG SOA 5 2 3600 20070809000919 (
> 20070709230919 64168 actor.com.
> dSi+1v/
> r3ct9x0Wc2bzwCf8txmprpLPTxWroAm1p9BWm
> wH/1oH49hf
> +wcp0nZZa9i1HmQVlMrF5yMHV7By5MlA== )
> NS bigb.actor.com.
> NS elektron.actor.com.
> RRSIG NS 5 2 3600 20070801230207 (
> 20070702230207 64167 actor.com.
> NLFW7uwGS/XHJj6WGyBr1K2PMHiNh1uLvM3zi
> +P8LZk4
> 5u8sWLkgASnyiTQp3iv/
> +AC4136QTvV8YkdOxxWp4w== )
> $TTL 86400 ; 1 day
> NSEC amir.actor.com. NS SOA RRSIG NSEC
> DNSKEY
> RRSIG NSEC 5 2 86400 20070801230207 (
> 20070702230207 64167 actor.com.
> Ydy/+gP
> +dPnDgV95UdW4IxKKNrg2TUn6pePryoAmbVlA
>
> D5YDk9kHsS0GIWwtKihxnGMTWJ54xhbIPGwq6SJeag== )
> $TTL 7200 ; 2 hours
> DNSKEY 256 3 5 (
> AwEAAckDHhV9X4/MsNBd/
> CR1LnRqFkq2TDKd7VOdlhuO
>
> q6a8Hzo7nXbZ7C2eOQRy4MvzqqJ3xycY7UucUQYSiVW1
> Iyk=
> ) ; key id = 64167
> DNSKEY 257 3 5 (
> AwEAAckDHhV9X4/MsNBd/
> CR1LnRqFkq2TDKd7VOdlhuO
>
> q6a8Hzo7nXbZ7C2eOQRy4MvzqqJ3xycY7UucUQYSiVW1
> Iyk=
> ) ; key id = 64168
> RRSIG DNSKEY 5 2 7200 20070801230207 (
> 20070702230207 64167 actor.com.
>
> OBmUX0yKFbLjNfOtqax1CWqTwUWBc2gOFPcYx4hQY8P6
>
> qB2eoYrVTs5rEU0JaV4MN2Uc46VwQbxU32mpVMDjBQ== )
> RRSIG DNSKEY 5 2 7200 20070801230207 (
> 20070702230207 64168 actor.com.
> LWvIA4/
> vhLfiepd0O2MnmL7hvREA97FVF17GxD5bAp/v
> yfJD5G1PfC/x0EkJfNjZ+hJgijts0sSSQCNKg
> +Wykw== )
> $ORIGIN actor.com.
> $TTL 3600 ; 1 hour
> amir A 131.222.32.252
> RRSIG A 5 3 3600 20070801230207 (
> 20070702230207 64167 actor.com.
>
> CkddHJKInwu3i3FtXghuWFPNNfwOb8UCMCtVfTdX09Qf
> .
> .
> .
> .
> $TTL 86400 ; 1 day
> NSEC anand A RRSIG NSEC
> RRSIG NSEC 5 3 86400 20070802010003 (
> 20070703000003 64167 actor.com.
>
> T3C8xu1oHV0LDCNj1pRX3bYauM5CPCVHXo7ueW0CdkAc
> fP2DGAzlIGLU/
> TwJeQ2pBa95Fdqa9eo2sy1JV1u/NQ== )
> RRSIG NSEC 5 3 86400 20070802010003 (
> 20070703000003 64168 actor.com.
>
> dghVy1gzmcpEzGDRRryg8IrLzefwYl2r8w9ZPOiiHk0e
> vo/
> QL1k3xc6oKqBQOk6MOCx6onI8MgU3P7wGKHR2AA== )
> $TTL 3600 ; 1 hour
> anand A 131.222.32.201
> RRSIG A 5 3 3600 20070802010003 (
> 20070703000003 64167 actor.com.
> w12MHG6et4GqLkqpGqQQ3fwLgJ
> +cmfeRqm5nc7QJQF6B
> YZD1X9s3kmCwNT6iWviad/5NddmKOtT4yf/
> JQGU9dg== )
> RRSIG A 5 3 3600 20070802010003 (
> 20070703000003 64168 actor.com.
>
> EBwuIEXg6zKlsWkWH1AB9T4l8IyxckbVVq4pNAHUqwLL
> 7LKfThAOYN93S4gbo0g/
> nNdYPPvfHLXc6x6FGLun7Q== )
> $TTL 86400 ; 1 day
> NSEC bigb A RRSIG NSEC
> RRSIG NSEC 5 3 86400 20070802010003 (
> 20070703000003 64167 actor.com.
> gWmgiOaWPnrQPbhDYzgxA7LkqDXsKmqUDrx/
> tlKfgbO9
> bqBoAHIY3shnCV8m/4zWk/
> mPZNVJUhfs38UvT8jkrA== )
> RRSIG NSEC 5 3 86400 20070802010003 (
> 20070703000003 64168 actor.com.
> hf1ABGBGkytVuuyWprvbs9FauCSe/
> FCfBgyRQEqDCJWC
>
> gAgWiZBu9m2NAkbmeqBwWEa2+ieBD3pJYngnozlsYQ== )
> $TTL 3600 ; 1 hour
> bigb A 131.222.32.229
> RRSIG A 5 3 3600 20070801230207 (
> 20070702230207 64167 actor.com.
>
> WrkcKW3AeJCLADAqkdcnhiKB5YpzcH4NADy9NIyqTUCb
> 3yUQ3t
> +kDk4IDo301LBVgREpEVYzm30zvd31CRndGw== )
> $TTL 86400 ; 1 day
> NSEC casey A RRSIG NSEC
> RRSIG NSEC 5 3 86400 20070801230207 (
> 20070702230207 64167 actor.com.
> R7
> +pRLJCpj6ZTJDTbWuekLOfVcrhEplsblPTv4X
> +qVa8
> lHoxgCZOY1bROBZBF200bRy/VlcE9rC/
> JSnVIfTjfA== )
> $TTL 3600 ; 1 hour
> casey A 153.64.251.247
> RRSIG A 5 3 3600 20070801230207 (
> 20070702230207 64167 actor.com.
>
> W4vr9u6DdaL04CmT2KY97NMdfps5kqkEiaRyTUrZg+iI
> LgyNMC0BJMZtIy4475Cp1huCu+DmcEK/
> dgtGRBIckQ== )
> $TTL 86400 ; 1 day
> .
> .
> .
> .
> .
>
> Thanks for going through such long post......
> Any type of suggestion is welcome...
>
> Thanks and Regard
> Das
>
>
More information about the bind-users
mailing list