problem validate key of isc dlv

fakessh @ fakessh at fakessh.eu
Mon Mar 21 10:16:38 UTC 2011


I managed to walk isc dlv with only 2 servers with active dnssec above.
and I quote ns1.novacrea.fr and ns1.xname.org. 

it produced no problem before


Le lundi 21 mars 2011 à 07:45 +0100, Torinthiel a écrit :
> On 03/21/11 02:13, fakessh @ wrote:
> > Yes, I bothered to redeploy new keys, fields TXT, a new signature. 
> > and more on a new rehabilitation isc dlv. 
> > 
> > 
> > I still get the same error
> > 
> > nb : Simply debuggers dnssec still provide all kinds of resultasts
> 
> And that's probably the main problem. Two of your nameservers have
> either disabled DNSSec, or don't support it at all:
> 
> Correct answer:
> 
> $ dig +dnssec +norecurse +noall +answer dnskey fakessh.eu @r13151.ovh.net.
> fakessh.eu.             38400   IN      DNSKEY  257 3 5
> AwEAAbwO9edhHAn00RfAzMEwBdcYK1fnP16vh9BXltHrdAesHRFJ7G0l
> tT4GyBgQcjFZyfk/HdHpnlDuT8fkjXphfS8=
> fakessh.eu.             38400   IN      DNSKEY  256 3 5
> AwEAAb1qeaah5D2pS+IcZiJiyZRA3KTgaV0/Sd8kSfzfbI3X45XZ7aLb
> tIoN/kLJc2G7qAdqnSmoiN+TojG+UQeAtYE=
> fakessh.eu.             38400   IN      RRSIG   DNSKEY 5 2 38400
> 20110419151040 20110320151040 10231 fakessh.eu.
> VeCJRPlvC6gr+3f/OuMCrFQR42oQkDxJ7nTfLcJMH2XwPyvBOdR/nv55
> ZSs5wJ5Bl5CKAZjMRyWrUtM/wSGdTw==
> fakessh.eu.             38400   IN      RRSIG   DNSKEY 5 2 38400
> 20110419151040 20110320151040 30111 fakessh.eu.
> Y1DqOwGfRTxNdFruvOSalp8pVy+FWd/G+pqs+Qu4tkkLvanHcTisDSXA
> JqbKvZpRrwGoL9o+5wKwPisDDqtf6g==
> 
> 
> And incorrect (note missing RRSIGs):
> dig +dnssec +noall +answer dnskey fakessh.eu @ns0.xname.org.
> fakessh.eu.             38400   IN      DNSKEY  257 3 5
> AwEAAbwO9edhHAn00RfAzMEwBdcYK1fnP16vh9BXltHrdAesHRFJ7G0l
> tT4GyBgQcjFZyfk/HdHpnlDuT8fkjXphfS8=
> fakessh.eu.             38400   IN      DNSKEY  256 3 5
> AwEAAb1qeaah5D2pS+IcZiJiyZRA3KTgaV0/Sd8kSfzfbI3X45XZ7aLb
> tIoN/kLJc2G7qAdqnSmoiN+TojG+UQeAtYE=
> 
> dig +dnssec +noall +answer dnskey fakessh.eu @ns2.xname.org.
> fakessh.eu.             38400   IN      DNSKEY  256 3 5
> AwEAAb1qeaah5D2pS+IcZiJiyZRA3KTgaV0/Sd8kSfzfbI3X45XZ7aLb
> tIoN/kLJc2G7qAdqnSmoiN+TojG+UQeAtYEA
> fakessh.eu.             38400   IN      DNSKEY  257 3 5
> AwEAAbwO9edhHAn00RfAzMEwBdcYK1fnP16vh9BXltHrdAesHRFJ7G0l
> tT4GyBgQcjFZyfk/HdHpnlDuT8fkjXphfS8A
> 
> ISC doesn't publish your DLV record, because it has to see consistent
> view of your zone. And it doesn't as you have missing RRSIGS from some
> nameservers.
> Either convince admins to deploy DNSSec or drop those nameservers.
> Then it should work.
> Torinthiel
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
gpg --keyserver pgp.mit.edu --recv-key 092164A7
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message num?riquement sign?e
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110321/ed40c423/attachment.bin>


More information about the bind-users mailing list