problem validate key of isc dlv

Mark Andrews marka at isc.org
Sun Mar 20 21:25:27 UTC 2011 

In message <1300650238.6651.15.camel at localhost.localdomain>, "fakessh @" writes
:
> hello bind network and duru. 
> 
> I can not validate the key dlv via the website of the isc. 
> I do not understand why the warning is the isc 
> you have an explanation
> SUCCESS 94.23.59.30 answered DNSKEY query with rcode NOERROR
> 4.502:SUCCESS 87.98.164.164 answered DNSKEY query with rcode NOERROR
> 4.502:SUCCESS 87.98.186.232 answered DNSKEY query with rcode NOERROR
> 4.502:INFO Total answers: 3
> 4.503:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.164.164
> 4.504:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.186.232
> 4.504:SUCCESS All DNSKEY responses are identical.
> 4.515:DEBUG VERIFY-DNSKEY: Checking tag=10231 flags=257 alg=RSASHA1
> AwEAAbwO...8fkjXphfS8=
> 4.515:DEBUG VERIFY-DNSKEY: Ignoring key.
> 4.515:DEBUG VERIFY-DNSKEY: Checking tag=30111 flags=256 alg=RSASHA1
> AwEAAb1q...jG+UQeAtYE=
> 4.515:DEBUG VERIFY-DNSKEY: Ignoring key.
> 4.515:INFO VERIFY-DNSKEY: 2 DNSKEYs found.
> 4.515:INFO VERIFY-DNSKEY: 0 keys found after filtering.
> 4.515:DEBUG VERIFY-DNSKEY: Using keys:
> 4.516:DEBUG VERIFY-DNSKEY: To verify rrset type DNSKEY
> 4.516:FAILURE VERIFY-DNSKEY: No keys found after filtering.
> 4.516:FAILURE DNSKEY signature did not validate.
> 4.516:FINAL_FAILURE FAILURE

Based on the key tags and the truncated keys I think these keys are
for fakessh.eu and if so there isn't a DLV record or a DS published
for fakessh.eu.  The only other thing the validator can check against
is any installed trust-anchor.

Mark

; <<>> DiG 9.6.0-APPLE-P2 <<>> fakessh.eu.dlv.isc.org dlv
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 48161
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

; <<>> DiG 9.6.0-APPLE-P2 <<>> fakessh.eu ds
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63623
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0



> -- 
> gpg --keyserver pgp.mit.edu --recv-key 092164A7
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list