problem for validate the script dnssec to isc dlv

fakessh @ fakessh at fakessh.eu
Thu Mar 24 22:02:16 UTC 2011


Le vendredi 25 mars 2011 à 08:24 +1100, Mark Andrews a écrit :
> In message <1300993213.12273.96.camel at localhost.localdomain>, "fakessh @" write
> s:
> > hi bind //guru/
> > hi isc guru
> > hi mark andrews
> > hi michel graff
>  
> There are no DLV records for fakessh.eu.  See below.
> 
> There are no DS records for fakessh.eu.  See below.
> 



necessarily because I can not validate the key through via isc dlv






> Two of the nameservers for your zone are not DNSSEC enabled.   They
> do NOT return RRSIG records when asked for the DNSKEY records with
> DO=1.  See below.
> 
> You need to address these issues.
> 
> Mark
> 
> % dig fakessh.eu.dlv.isc.org dlv
> 
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> fakessh.eu.dlv.isc.org dlv
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21760
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;fakessh.eu.dlv.isc.org.		IN	DLV
> 
> ;; AUTHORITY SECTION:
> dlv.isc.org.		2793	IN	SOA	ns-int.isc.org. hostmaster.isc.org. 2011032404 7200 3600 2419200 3600
> 
> ;; Query time: 3 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Fri Mar 25 08:10:56 2011
> ;; MSG SIZE  rcvd: 94
> 
> % dig ds fakessh.eu
> 
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> ds fakessh.eu
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20600
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;fakessh.eu.			IN	DS
> 
> ;; AUTHORITY SECTION:
> eu.			600	IN	SOA	a.nic.eu. tech.eurid.eu. 1003425849 3600 1800 3600000 600
> 
> ;; Query time: 930 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Fri Mar 25 08:13:44 2011
> ;; MSG SIZE  rcvd: 81
> 
> % dig +dnssec dnskey fakessh.eu @ns0.xname.org
> 
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> +dnssec dnskey fakessh.eu @ns0.xname.org
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11804
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 6
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;fakessh.eu.			IN	DNSKEY
> 
> ;; ANSWER SECTION:
> fakessh.eu.		38400	IN	DNSKEY	256 3 5 AwEAAeFYV9JtqoHqpU8vpl+wMFOQjt77N5XgUcove5Apmjwqsx/awcbN Q2+H3hqeJ9f8NRSDUamSLFmvuUJTbDLDxpw9AlNjZNXQysxaQ//lNXKR P2nfrbqMvNnerzdPQ1eF2RqMf5XuOFv6+4UFz/rykszQcK6kH4qIWQ89 Ibk4eXc249MP31vUlgf3tiHyWyqQtD2JJpHY3HwDOYHhKR0Rilk=
> fakessh.eu.		38400	IN	DNSKEY	257 3 5 AwEAAbj75OmR1A8gs1lda3OYTKaY+dy4jVBmflEk/c8g/JDw6UvAqWMz 9KtNIZvGt9E8JMSfaH6VZLY0mWFfCkn7o38=
> 
> ;; AUTHORITY SECTION:
> fakessh.eu.		38400	IN	NS	r13151.ovh.net.
> fakessh.eu.		38400	IN	NS	ns0.xname.org.
> fakessh.eu.		38400	IN	NS	ns1.xname.org.
> fakessh.eu.		38400	IN	NS	ns1.novacrea.fr.
> fakessh.eu.		38400	IN	NS	ns2.xname.org.
> 
> ;; ADDITIONAL SECTION:
> ns0.xname.org.		600	IN	A	195.234.42.1
> ns1.xname.org.		600	IN	A	87.98.164.164
> ns1.novacrea.fr.	55352	IN	A	94.23.59.30
> ns2.xname.org.		600	IN	A	88.191.64.64
> ns2.xname.org.		600	IN	AAAA	2a01:e0b:1:64:240:63ff:fee8:6155
> 
> ;; Query time: 391 msec
> ;; SERVER: 195.234.42.1#53(195.234.42.1)
> ;; WHEN: Fri Mar 25 08:19:34 2011
> ;; MSG SIZE  rcvd: 515
> 
> %
>  
> > despite my efforts to validate isc dlv. I'm always at the same point I
> > can not validate the keys. error below the script isc
> > 
> > SUCCESS 94.23.59.30 answered DNSKEY query with rcode NOERROR
> > 3.345:SUCCESS 87.98.186.232 answered DNSKEY query with rcode NOERROR
> > 3.345:SUCCESS 87.98.164.164 answered DNSKEY query with rcode NOERROR
> > 3.345:INFO Total answers: 3
> > 3.346:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.186.232
> > 3.347:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.164.164
> > 3.347:SUCCESS All DNSKEY responses are identical.
> > 3.353:DEBUG VERIFY-DNSKEY: Checking tag=3D41931 flags=3D256 alg=3DRSASHA1
> > AwEAAbjq...Na0iXShQfc=3D
> > 3.353:DEBUG VERIFY-DNSKEY: Ignoring key.
> > 3.353:DEBUG VERIFY-DNSKEY: Checking tag=3D27979 flags=3D257 alg=3DRSASHA1
> > AwEAAcNa...y1khCE+CdE=3D
> > 3.353:DEBUG VERIFY-DNSKEY: Ignoring key.
> > 3.353:INFO VERIFY-DNSKEY: 2 DNSKEYs found.
> > 3.353:INFO VERIFY-DNSKEY: 0 keys found after filtering.
> > 3.353:DEBUG VERIFY-DNSKEY: Using keys:
> > 3.353:DEBUG VERIFY-DNSKEY: To verify rrset type DNSKEY
> > 3.353:FAILURE VERIFY-DNSKEY: No keys found after filtering.
> > 3.353:FAILURE DNSKEY signature did not validate.
> > 3.353:FINAL_FAILURE FAILURE
> > 
> > 
> > --=20
> > gpg --keyserver pgp.mit.edu --recv-key 092164A7
> > http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0x092164A7
> > 
> > --=-z4QlW2bZGkH+0Mp+jCTf
> > Content-Type: application/pgp-signature; name=signature.asc
> > Content-Description: Ceci est une partie de message
> > 	=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=
> > 
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.5 (GNU/Linux)
> > 
> > iD8DBQBNi5S9tXI/OwkhZKcRApwbAJ0U1bwNJxcqaQio8bGVIuAQkomMqgCfVbUn
> > uZ2ojYfEyGYxmZu/F2xOJn8=
> > =/8X8
> > -----END PGP SIGNATURE-----
> > 
> > --=-z4QlW2bZGkH+0Mp+jCTf--
> > 
> > 
> > --===============2440758171990924561==
> > Content-Type: text/plain; charset="us-ascii"
> > MIME-Version: 1.0
> > Content-Transfer-Encoding: 7bit
> > Content-Disposition: inline
> > 
> > _______________________________________________
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> > --===============2440758171990924561==--
> > 
-- 
gpg --keyserver pgp.mit.edu --recv-key 092164A7
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message num?riquement sign?e
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110324/6155152b/attachment.bin>


More information about the bind-users mailing list