Configuring DNSSEC for child domains
Mark Andrews
marka at isc.org
Mon May 6 22:09:06 UTC 2013
In message <5187C559.6040401 at sidn.nl>, "Marco Davids (SIDN)" writes:
>
> Hi Jaap,
>
> On 05/06/13 16:09, Jaap Winius wrote:
>
> >
> > This shows two DS records in the parent zone, one not secure and one
> > bogus, and three DNSKEY records in the child zone, none of which are
> > secure.
>
> Perhaps you could remove ns[12].transip.net from your NS-set and try
> again? It seems as if these name servers are causing some problems.
They are emitting malformed DS records. Hash algorithm
1 is only supposed to be 20 bytes long.
04 7a 75 69 64 07 64 61 70 61 64 61 6d 02 6e ..zuid.dapadam.n
6c 00
00 2b DS
00 01 IN
00 01 51 80 ttl
00 3a RDLEN
00 00 KEY TAG
08 KEY ALG
01 HASH ALG l..+....Q..:....
00 00 00 05 00 00 00 00 00 00 00 00 00 00 27 63 HASH ..............'c
32 65 31 38
37 63 30 62 64 31 33 32 37 62 37 65 EXTRA 2e187c0bd1327b7e
66 61 62 62 64 36 34 36 32 65 39 63 64 32 35 64 fabbd6462e9cd25d
35 34 31 35 39 37
Additionally the nameserver is not compressing the owner names of
the DS record. While permitted it is not expected and could result
in additional fragmentation and / or fallback to TCP.
On top of that the NS RRsets don't match. The DS records
that do get through don't match the DNSKEY records.
> http://dnsviz.net/d/zuid.dapadam.nl/responses/
>
> Regards,
>
> --
> Marco
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list