Trouble with host and DNSSEC
Timothy Holtzen
tah at NebrWesleyan.edu
Wed Sep 15 16:19:19 UTC 2010
Thanks Casey!
The link to dnsviz.net also explains part of why I was getting
confused. It appears that there are not any DS records at the root
(yet?) for the .gov level. This explains why when I did a dig with
+sigchase +topdown options it was failing to validate way earlier in the
chain. I was only using the root trusted key in my /etc/trusted-key.key
file for dig while the server itself is using DLV to validate down the
chain until it gets to the missing DNSKEY record.
On 09/15/2010 10:05 AM, Casey Deccio wrote:
> On Wed, Sep 15, 2010 at 7:34 AM, Timothy Holtzen <tah at nebrwesleyan.edu> wrote:
>> I am having trouble resolving the host name cod.ed.gov which I believe
>> may be dnssec related
> ...
>
>> in my logs I am getting the messages:
>>
>> validating @0x2ab727eb5810: cod.ed.gov A: got insecure response; parent
>> indicates it should be secure
>> dnssec: info: validating @0x2ab727eb5810: cod.ed.gov A: got insecure
>> response; parent indicates it should be secure
>> error (insecurity proof failed) resolving 'cod.ed.gov/A/IN': 63.150.74.34#53
>>
> There are DS RRs for cod.ed.gov in the parent zone (ed.gov),
> indicating that cod.ed.gov should be signed with a DNSKEY
> corresponding to the existing DS RR. However, cod.ed.gov is not
> signed, particularly not with the DNSKEY corresponding to the DS RR,
> which DNSKEY doesn't seem to exist in the zone at all.
> http://dnsviz.net/d/cod.ed.gov/dnssec/
>
> To remedy the issue, the ed.gov administrators should remove the DS RR
> for cod.ed.gov from the ed.gov zone, which will make cod.ed.gov an
> insecure delegation (meaning that it can continue to be unsigned). If
> desired, the zone can then be resigned, and the appropriate DS RRs
> added to the parent.
>
> I can send them a note off-list.
>
> Regards,
> Casey
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Timothy A. Holtzen
Campus Network Administrator
Nebraska Wesleyan University
More information about the bind-users
mailing list