dnssec KSK rollover

Tony Finch dot at dotat.at
Thu Aug 23 13:01:05 UTC 2018

project722 <project722 at gmail.com> wrote:
> 1) I am still seeing the "no valid signature found" messages in my
> bind.log.

> ;; validating ncentral.teklinks.com/A: no valid signature found

In this case that's because ncentral.teklinks.com is signed but there's no
DS in the parent zone, so it's insecure. If you run delv +vtrace you'll
see a lot of verbiage between these lines which is the major clue.

;; validating teklinks.com/DS: attempting negative response validation

;; validating teklinks.com/DS: nonexistence proof(s) found

Or you can look at dnsviz.net :-)

> 2) There is one other scenario that confuses me. When I test against a URL
> that's purposely setup to fail dnssec, I get a servfail.

dnssec-failed.org has DS records, so it should be secure, but the DS
records in the parent don't match the DNSKEY records in the child zone.
You can see this by comparing:

$ dig +noall +answer dnssec-failed.org ds

$ dig +cd dnssec-failed.org dnskey |
  dnssec-dsfromkey -f /dev/stdin dnssec-failed.org

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
protect and enlarge the conditions of liberty and social justice

More information about the bind-users mailing list