disable dnssec for particular domain

Reindl Harald h.reindl at thelounge.net
Wed Feb 7 11:14:48 UTC 2018 


Am 07.02.2018 um 12:12 schrieb Reindl Harald:
> 
> 
> Am 07.02.2018 um 12:07 schrieb Matus UHLAR - fantomas:
>>> On 06/02/2018 16:31, Matus UHLAR - fantomas wrote:
>>>> what's the difference, when the domain doesn't exist?
>>>>
>>>> is it because .eu is signed?
>>
>> On 06.02.18 16:35, Ray Bellis wrote:
>>> Perhaps, although I'm not sure why given that .eu is signed with NSEC3
>>> and opt-out.
>>>
>>> Are you *sure* that the domain doesn't now actually exist in the DNS?
>>
>> yes. even web whois shows no 'nameserver' information.
>>
>> the name is "testa.eu".
>> I'm not good at dnssec to find out more
> 
> probably it's just a stupid idea to have no namservers instead some 
> fake-nameserver without DS records when you override the domain locally 
> anyways
> 
> my "rhsoft.net" domain on local networks also has nothing in common with 
> the public nameservers
> 
> https://dnssec-debugger.verisignlabs.com/testa.eu
> 
>      Found 3 DNSKEY records for .
>      DS=20326/SHA-256 verifies DNSKEY=20326/SEP
>      DS=19036/SHA-256 verifies DNSKEY=19036/SEP
>      Found 1 RRSIGs over DNSKEY RRset
>      RRSIG=19036 and DNSKEY=19036/SEP verifies the DNSKEY RRset
> eu
>      Found 1 DS records for eu in the . zone
>      DS=59479/SHA-256 has algorithm RSASHA256
>      Found 1 RRSIGs over DS RRset
>      RRSIG=41824 and DNSKEY=41824 verifies the DS RRset
>      Found 2 DNSKEY records for eu
>      DS=59479/SHA-256 verifies DNSKEY=59479/SEP
>      Found 2 RRSIGs over DNSKEY RRset
>      RRSIG=43743 and DNSKEY=43743 verifies the DNSKEY RRset
>      Zone eu (2600:2000:3004::1) returns NXDOMAIN for testa.eu

and that proves that your setup with no nameservers is stupid because 
otherwise you would get "domain not signed" and you are done

https://dnssec-debugger.verisignlabs.com/rhsoft.net

	Found 3 DNSKEY records for .
	DS=20326/SHA-256 verifies DNSKEY=20326/SEP
	DS=19036/SHA-256 verifies DNSKEY=19036/SEP
	Found 1 RRSIGs over DNSKEY RRset
	RRSIG=19036 and DNSKEY=19036/SEP verifies the DNSKEY RRset
net 	
	Found 1 DS records for net in the . zone
	DS=35886/SHA-256 has algorithm RSASHA256
	Found 1 RRSIGs over DS RRset
	RRSIG=41824 and DNSKEY=41824 verifies the DS RRset
	Found 2 DNSKEY records for net
	DS=35886/SHA-256 verifies DNSKEY=35886/SEP
	Found 1 RRSIGs over DNSKEY RRset
	RRSIG=35886 and DNSKEY=35886/SEP verifies the DNSKEY RRset
rhsoft.net 	
	No DS records found for rhsoft.net in the net zone
	No DNSKEY records found
	rhsoft.net A RR has value 91.118.73.11
	No RRSIGs found

More information about the bind-users mailing list