DNSSEC auto-dnssec issue bind-9.7.2-P3
Zbigniew Jasiński
szopen at nask.pl
Mon Jan 24 09:53:31 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
W dniu 2011-01-21 15:17, Kalman Feher pisze:
>> Perhaps we are getting close to the problem then.
>> Can you show the content of the key files? Specifically the metadata which
>> the "maintain" option wants.
>
>> Since "allow" works I'm assuming that key file permissions (and directory
>> permissions) are ok, but it couldn't hurt to check them.
I've made new instalation without SoftHSM support to be sure that this
is not an issue, and of course 'allow' works and 'maintain' the same odd
things.
permissions are ok, double-checked, and with 'allow' it works.
key metadata, same for ZSK and KSK:
; Created: 20110121145849 (Fri Jan 21 15:58:49 2011)
; Publish: 20110121145937 (Fri Jan 21 15:59:37 2011)
; Activate: 20110121170117 (Fri Jan 21 18:01:17 2011)
; Inactive: 20110121220937 (Fri Jan 21 23:09:37 2011)
; Delete: 20110122001117 (Sat Jan 22 01:11:17 2011)
and of course I'm waiting until Activate key event to be sure I will get
RRSIG in response but there's now signatures.
strange thing, that after signing zone with 'maintain' and after named
dumps zone into plain file, file differs from this dumped with 'allow'
option, much. for example don't have NSEC3PARAM in file from 'maintain'
and DS record (authoritative) doesn't have even it's signature!
zone with 'maintain' option:
$ORIGIN .
$TTL 3600 ; 1 hour
example IN SOA ns1.example. bugs.x.w.example. (
1292481918 ; serial
7200 ; refresh (2 hours)
3600 ; retry (1 hour)
734400 ; expire (1 week 1 day 12 hours)
600 ; minimum (10 minutes)
)
RRSIG SOA 10 1 3600 20110223093216 (
20110124083216 41870 example.
SbFalU9K5yroRNtENT7nQHovxOXhl8ROOi90D77qFEXc
<CUT>
NS ns1.example.
NS ns2.example.
TXT "dnssec test"
$TTL 600 ; 10 minutes
NSEC a.example. NS SOA TXT RRSIG NSEC DNSKEY
TYPE65534
$TTL 3600 ; 1 hour
DNSKEY 256 3 10 (
AwEAAdByffBxPaxGFxfnf10TKUIwUKvq79vfMJ9wGW6s
<CUT> ) ; key id = 41870
DNSKEY 257 3 10 (
AwEAAdFituIkCms1lVbht+ykmwRUoBQJjHW9qep2GS1O
<CUT> ) ; key id = 996
RRSIG DNSKEY 10 1 3600 20110223093216 (
20110124083216 996 example.
LXfYVMI7BuQEEvYKpiadeboBHlv1RYv1vaaUoZLwnhC6
RRSIG DNSKEY 10 1 3600 20110223093216 (
20110124083216 41870 example.
$TTL 0 ; 0 seconds
TYPE65534 \# 5 ( 0A03E40001 )
TYPE65534 \# 5 ( 0AA38E0001 )
$ORIGIN example.
$TTL 3600 ; 1 hour
a NS ns1.a
NS ns2.a
DS 23344 5 1 (
CECDDBFFD6A0C01F8D7E96C4BE31CB577433DD56 )
$ORIGIN a.example.
ns1 A 127.0.0.1
ns2 A 127.0.0.1
$ORIGIN example.
ai A 127.0.0.1
AAAA ::1
c NS ns1.c
NS ns2.c
$ORIGIN c.example.
ns1 A 127.0.0.5
ns2 A 127.0.0.6
$ORIGIN example.
ns1 A 127.0.0.3
ns2 A 127.0.0.4
w A 127.0.0.1
$ORIGIN w.example.
* MX 10 ai.example.
x MX 10 xx.example.
x.y MX 10 xx.example.
$ORIGIN example.
xx A 127.0.0.1
AAAA ::1
- --
regards
zbigniew jasinski
[SYStem OPerator]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJNPUwaAAoJEH26UYiRhe/gwDoP/ikpiRA/aLKoufjvUUs3+8OD
BKzDUMUoHVQZ5kL+jiS0PA1gabTTL6iCyA7w+Rw6mwFsSM/SWqtjDE2EeKb27wYN
osrRvPk6Cszq5W4hOD3PCZe93hcL/MZ8IQxF4qCW3v7XHpHQ7wXyttDC2KkIRcRI
VNLaJDjD8MQsK1qAsPL86WXdZCousejUbPPNIc2mYyz/5fhOvCRFZ1ALW8ljuhqd
hqM9gbv35d6nXg10yfdkp1nEOz7D25yU6KXhoeX4IOH4+qWvvs3e/zl7EY/BQ66k
4fco8fzkLik3hzAwyqbuBfiEH8/u7LjC8tcrMz3TuTsOdMkolgRVDorLsvKCz1WL
eTp+9qe8PNrT5vCXsY7jz5ODgfiiKA9QbtSmAvvVVMnz5h1gBMZUyhLubA/ZCuhI
A0UUSltbQo7yyZgfy8UW+3rV2mdyHJJ7wTGMbW0B0uzS59Uks/XIQ5kDDBAo/1fh
fPJGPpbN5Ak93B2s/kMdYoCcFNRhLb8TtUGZduL4oZtPbX7stmP/+Nq2ghwyeM4f
VlheVVE7GTAUOpkFhu/QxBnO2KIO6RbsTNfoI2vJNrZkmKgffbE4AacgBpktjp5X
7oB7mJifkzT7xSbbcf0AOgyBLuMrrkaa4tK0arzfDtF+0jVn5kYlY4LvEJ+KjXEs
5xmtXTE7LO5pRcx2hD2v
=l1J9
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list