dnssec KSK rollover
project722 at gmail.com
Thu Aug 23 22:58:51 UTC 2018
Actually I have one more question just to make sure I'm not overlooking
anything for the KSK rollover. The instructions here:
say that I need to, in addition to setting validation to "auto" run:
Well, I did that and it created the named.secroots file with the correct
secure roots as of 23-Aug-2018 17:27:15.420:
Start view _default
./RSASHA256/20326 ; managed
./RSASHA256/19036 ; managed
Negative trust anchors:
Does BIND automatically know to use this file or do I need to point
named.conf to it? Do I even need this file at all?
On Thu, Aug 23, 2018 at 9:43 AM project722 <project722 at gmail.com> wrote:
> Thanks Tony! This was very helpful.
> On Thu, Aug 23, 2018 at 8:01 AM Tony Finch <dot at dotat.at> wrote:
>> project722 <project722 at gmail.com> wrote:
>> > 1) I am still seeing the "no valid signature found" messages in my
>> > bind.log.
>> > ;; validating ncentral.teklinks.com/A: no valid signature found
>> In this case that's because ncentral.teklinks.com is signed but there's
>> DS in the parent zone, so it's insecure. If you run delv +vtrace you'll
>> see a lot of verbiage between these lines which is the major clue.
>> ;; validating teklinks.com/DS: attempting negative response validation
>> ;; validating teklinks.com/DS: nonexistence proof(s) found
>> Or you can look at dnsviz.net :-)
>> > 2) There is one other scenario that confuses me. When I test against a
>> > that's purposely setup to fail dnssec, I get a servfail.
>> dnssec-failed.org has DS records, so it should be secure, but the DS
>> records in the parent don't match the DNSKEY records in the child zone.
>> You can see this by comparing:
>> $ dig +noall +answer dnssec-failed.org ds
>> $ dig +cd dnssec-failed.org dnskey |
>> dnssec-dsfromkey -f /dev/stdin dnssec-failed.org
>> f.anthony.n.finch <dot at dotat.at> http://dotat.at/
>> protect and enlarge the conditions of liberty and social justice
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users