Configuring DNSSEC for child domains

Mark Andrews marka at isc.org
Mon May 6 22:09:06 UTC 2013


In message <5187C559.6040401 at sidn.nl>, "Marco Davids (SIDN)" writes:
>
> Hi Jaap,
>
> On 05/06/13 16:09, Jaap Winius wrote:
>

> >
> > This shows two DS records in the parent zone, one not secure and one
> > bogus, and three DNSKEY records in the child zone, none of which are
> > secure.
>
> Perhaps you could remove ns[12].transip.net from your NS-set and try
> again? It seems as if these name servers are causing some problems.

They are emitting malformed DS records.  Hash algorithm
1 is only supposed to be 20 bytes long.
 
   04 7a 75 69 64 07 64 61 70 61 64 61 6d 02 6e          ..zuid.dapadam.n
6c 00
      00 2b				          DS
	    00 01				  IN
		  00 01 51 80			 ttl
			      00 3a	         RDLEN
				    00 00        KEY TAG
					  08	 KEY ALG
					     01 HASH ALG l..+....Q..:....
00 00 00 05 00 00 00 00 00 00 00 00 00 00 27 63  HASH    ..............'c
32 65 31 38
	    37 63 30 62 64 31 33 32 37 62 37 65  EXTRA   2e187c0bd1327b7e
66 61 62 62 64 36 34 36 32 65 39 63 64 32 35 64          fabbd6462e9cd25d
35 34 31 35 39 37

Additionally the nameserver is not compressing the owner names of
the DS record.  While permitted it is not expected and could result
in additional fragmentation and / or fallback to TCP.

On top of that the NS RRsets don't match.  The DS records
that do get through don't match the DNSKEY records.
 
> http://dnsviz.net/d/zuid.dapadam.nl/responses/
> 
> Regards,
> 
> --
> Marco
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the bind-users mailing list