problem validate key of isc dlv
Torinthiel
torinthiel at data.pl
Mon Mar 21 06:45:06 UTC 2011
On 03/21/11 02:13, fakessh @ wrote:
> Yes, I bothered to redeploy new keys, fields TXT, a new signature.
> and more on a new rehabilitation isc dlv.
>
>
> I still get the same error
>
> nb : Simply debuggers dnssec still provide all kinds of resultasts
And that's probably the main problem. Two of your nameservers have
either disabled DNSSec, or don't support it at all:
Correct answer:
$ dig +dnssec +norecurse +noall +answer dnskey fakessh.eu @r13151.ovh.net.
fakessh.eu. 38400 IN DNSKEY 257 3 5
AwEAAbwO9edhHAn00RfAzMEwBdcYK1fnP16vh9BXltHrdAesHRFJ7G0l
tT4GyBgQcjFZyfk/HdHpnlDuT8fkjXphfS8=
fakessh.eu. 38400 IN DNSKEY 256 3 5
AwEAAb1qeaah5D2pS+IcZiJiyZRA3KTgaV0/Sd8kSfzfbI3X45XZ7aLb
tIoN/kLJc2G7qAdqnSmoiN+TojG+UQeAtYE=
fakessh.eu. 38400 IN RRSIG DNSKEY 5 2 38400
20110419151040 20110320151040 10231 fakessh.eu.
VeCJRPlvC6gr+3f/OuMCrFQR42oQkDxJ7nTfLcJMH2XwPyvBOdR/nv55
ZSs5wJ5Bl5CKAZjMRyWrUtM/wSGdTw==
fakessh.eu. 38400 IN RRSIG DNSKEY 5 2 38400
20110419151040 20110320151040 30111 fakessh.eu.
Y1DqOwGfRTxNdFruvOSalp8pVy+FWd/G+pqs+Qu4tkkLvanHcTisDSXA
JqbKvZpRrwGoL9o+5wKwPisDDqtf6g==
And incorrect (note missing RRSIGs):
dig +dnssec +noall +answer dnskey fakessh.eu @ns0.xname.org.
fakessh.eu. 38400 IN DNSKEY 257 3 5
AwEAAbwO9edhHAn00RfAzMEwBdcYK1fnP16vh9BXltHrdAesHRFJ7G0l
tT4GyBgQcjFZyfk/HdHpnlDuT8fkjXphfS8=
fakessh.eu. 38400 IN DNSKEY 256 3 5
AwEAAb1qeaah5D2pS+IcZiJiyZRA3KTgaV0/Sd8kSfzfbI3X45XZ7aLb
tIoN/kLJc2G7qAdqnSmoiN+TojG+UQeAtYE=
dig +dnssec +noall +answer dnskey fakessh.eu @ns2.xname.org.
fakessh.eu. 38400 IN DNSKEY 256 3 5
AwEAAb1qeaah5D2pS+IcZiJiyZRA3KTgaV0/Sd8kSfzfbI3X45XZ7aLb
tIoN/kLJc2G7qAdqnSmoiN+TojG+UQeAtYEA
fakessh.eu. 38400 IN DNSKEY 257 3 5
AwEAAbwO9edhHAn00RfAzMEwBdcYK1fnP16vh9BXltHrdAesHRFJ7G0l
tT4GyBgQcjFZyfk/HdHpnlDuT8fkjXphfS8A
ISC doesn't publish your DLV record, because it has to see consistent
view of your zone. And it doesn't as you have missing RRSIGS from some
nameservers.
Either convince admins to deploy DNSSec or drop those nameservers.
Then it should work.
Torinthiel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110321/b6c4fa12/attachment.bin>
More information about the bind-users
mailing list