testing validation

Alan Batie alan at peak.org
Wed Apr 18 16:35:09 UTC 2012 

I'm testing out dnssec with bind 9.9.0's auto signing and a test domain;
this appears to be working (see below, RRSIG records returned from the
actual nameserver), however and attempt to validate fails with:

# dig +dnssec +sigchase soa raindrop.us
;; RRset to chase:
raindrop.us.		987	IN	SOA	ns1.raindrop.us. hostmaster.rdrop.com.
2012030815 3600 3600 86400 3600



Launch a query to find a RRset of type RRSIG for zone: raindrop.us.

;; RRSIG is missing for continue validation: FAILED


I have this included in the resolver's named.conf:

managed-keys {
   "." initial-key 257 3 8
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= ";
};

per https://calomel.org/dns_bind.html

When I simply try to validate the root:

# dig +dnssec +sigchase .
;; NO ANSWERS: no more
We want to prove the non-existence of a type of rdata 1 or of the zone:
there is no NSEC for this zone: validating that the zone doesn't exist

;; Impossible to verify the Non-existence, the NSEC RRset can't be
validated: FAILED

I'm not sure what to look for now...



# dig +dnssec @ns6.peak.org raindrop.us

; <<>> DiG 9.9.0 <<>> +dnssec @ns6.peak.org raindrop.us
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15953
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;raindrop.us.			IN	A

;; ANSWER SECTION:
raindrop.us.		3600	IN	A	199.26.172.34
raindrop.us.		3600	IN	RRSIG	A 5 2 3600 20120512011136 20120412010327
41190 raindrop.us.
kH5rKfIHghbsiKLTMkO6GjDtXI0Afkgl2x74K0o0AKtDlTDfsk+2pPZ/
XwKj1k2jIYButqXximUjHOHQHK1bSru7V8DkkN7JF/wozTOiGCs777sO
s90jKmaHIIMSTbNcQgtDySqzPsd4Sn9Qp86Iykj0nvXyUeMib2bzPJ5S VBY=

;; AUTHORITY SECTION:
raindrop.us.		3600	IN	NS	ns1.raindrop.us.
raindrop.us.		3600	IN	RRSIG	NS 5 2 3600 20120512011136 20120412010327
41190 raindrop.us.
UQxIRpKV+b4opfCJx/j4oIFht8nqxpn1g0siOLI2XkxfVrnXHh17/ChT
X6PH5YOrF7D3v7AUMbVo+o8glSUfk1uML8i3C8H5lD/NmujPPrIqFaO/
6zCJen1q34FVunCoqfrYvYlaKHenFGsrpOl61H75ns0IjLMXSs+TRpIY GTs=

;; ADDITIONAL SECTION:
ns1.raindrop.us.	3600	IN	AAAA	2607:f678::56
ns1.raindrop.us.	3600	IN	RRSIG	AAAA 5 3 3600 20120512011136
20120412010327 41190 raindrop.us.
MhaOIt7D7kT8k4USk9Mpocw+tSx8WBSO/Yi+4F/YFV1ZVSXLKgYj4K4S
hTjVTBD3tCQYMJY+SkArlkoQRyTk4QYrLV8CP2TvvdrUPjZUZNAEMsuk
0NWsd2tLgStZ34yN0Pe1xa9P2SZjvsXJj1D1N5JNFxfS/OFCwMa9Hvcr atM=

;; Query time: 253 msec
;; SERVER: 2607:f678:10::53#53(2607:f678:10::53)
;; WHEN: Tue Apr 17 23:29:08 2012
;; MSG SIZE  rcvd: 615

More information about the bind-users mailing list