problem validate key of isc dlv

Torinthiel torinthiel at data.pl
Mon Mar 21 06:45:06 UTC 2011


On 03/21/11 02:13, fakessh @ wrote:
> Yes, I bothered to redeploy new keys, fields TXT, a new signature. 
> and more on a new rehabilitation isc dlv. 
> 
> 
> I still get the same error
> 
> nb : Simply debuggers dnssec still provide all kinds of resultasts

And that's probably the main problem. Two of your nameservers have
either disabled DNSSec, or don't support it at all:

Correct answer:

$ dig +dnssec +norecurse +noall +answer dnskey fakessh.eu @r13151.ovh.net.
fakessh.eu.             38400   IN      DNSKEY  257 3 5
AwEAAbwO9edhHAn00RfAzMEwBdcYK1fnP16vh9BXltHrdAesHRFJ7G0l
tT4GyBgQcjFZyfk/HdHpnlDuT8fkjXphfS8=
fakessh.eu.             38400   IN      DNSKEY  256 3 5
AwEAAb1qeaah5D2pS+IcZiJiyZRA3KTgaV0/Sd8kSfzfbI3X45XZ7aLb
tIoN/kLJc2G7qAdqnSmoiN+TojG+UQeAtYE=
fakessh.eu.             38400   IN      RRSIG   DNSKEY 5 2 38400
20110419151040 20110320151040 10231 fakessh.eu.
VeCJRPlvC6gr+3f/OuMCrFQR42oQkDxJ7nTfLcJMH2XwPyvBOdR/nv55
ZSs5wJ5Bl5CKAZjMRyWrUtM/wSGdTw==
fakessh.eu.             38400   IN      RRSIG   DNSKEY 5 2 38400
20110419151040 20110320151040 30111 fakessh.eu.
Y1DqOwGfRTxNdFruvOSalp8pVy+FWd/G+pqs+Qu4tkkLvanHcTisDSXA
JqbKvZpRrwGoL9o+5wKwPisDDqtf6g==


And incorrect (note missing RRSIGs):
dig +dnssec +noall +answer dnskey fakessh.eu @ns0.xname.org.
fakessh.eu.             38400   IN      DNSKEY  257 3 5
AwEAAbwO9edhHAn00RfAzMEwBdcYK1fnP16vh9BXltHrdAesHRFJ7G0l
tT4GyBgQcjFZyfk/HdHpnlDuT8fkjXphfS8=
fakessh.eu.             38400   IN      DNSKEY  256 3 5
AwEAAb1qeaah5D2pS+IcZiJiyZRA3KTgaV0/Sd8kSfzfbI3X45XZ7aLb
tIoN/kLJc2G7qAdqnSmoiN+TojG+UQeAtYE=

dig +dnssec +noall +answer dnskey fakessh.eu @ns2.xname.org.
fakessh.eu.             38400   IN      DNSKEY  256 3 5
AwEAAb1qeaah5D2pS+IcZiJiyZRA3KTgaV0/Sd8kSfzfbI3X45XZ7aLb
tIoN/kLJc2G7qAdqnSmoiN+TojG+UQeAtYEA
fakessh.eu.             38400   IN      DNSKEY  257 3 5
AwEAAbwO9edhHAn00RfAzMEwBdcYK1fnP16vh9BXltHrdAesHRFJ7G0l
tT4GyBgQcjFZyfk/HdHpnlDuT8fkjXphfS8A

ISC doesn't publish your DLV record, because it has to see consistent
view of your zone. And it doesn't as you have missing RRSIGS from some
nameservers.
Either convince admins to deploy DNSSec or drop those nameservers.
Then it should work.
Torinthiel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110321/b6c4fa12/attachment.bin>


More information about the bind-users mailing list