disable dnssec for particular domain
Reindl Harald
h.reindl at thelounge.net
Wed Feb 7 11:14:48 UTC 2018
Am 07.02.2018 um 12:12 schrieb Reindl Harald:
>
>
> Am 07.02.2018 um 12:07 schrieb Matus UHLAR - fantomas:
>>> On 06/02/2018 16:31, Matus UHLAR - fantomas wrote:
>>>> what's the difference, when the domain doesn't exist?
>>>>
>>>> is it because .eu is signed?
>>
>> On 06.02.18 16:35, Ray Bellis wrote:
>>> Perhaps, although I'm not sure why given that .eu is signed with NSEC3
>>> and opt-out.
>>>
>>> Are you *sure* that the domain doesn't now actually exist in the DNS?
>>
>> yes. even web whois shows no 'nameserver' information.
>>
>> the name is "testa.eu".
>> I'm not good at dnssec to find out more
>
> probably it's just a stupid idea to have no namservers instead some
> fake-nameserver without DS records when you override the domain locally
> anyways
>
> my "rhsoft.net" domain on local networks also has nothing in common with
> the public nameservers
>
> https://dnssec-debugger.verisignlabs.com/testa.eu
>
> Found 3 DNSKEY records for .
> DS=20326/SHA-256 verifies DNSKEY=20326/SEP
> DS=19036/SHA-256 verifies DNSKEY=19036/SEP
> Found 1 RRSIGs over DNSKEY RRset
> RRSIG=19036 and DNSKEY=19036/SEP verifies the DNSKEY RRset
> eu
> Found 1 DS records for eu in the . zone
> DS=59479/SHA-256 has algorithm RSASHA256
> Found 1 RRSIGs over DS RRset
> RRSIG=41824 and DNSKEY=41824 verifies the DS RRset
> Found 2 DNSKEY records for eu
> DS=59479/SHA-256 verifies DNSKEY=59479/SEP
> Found 2 RRSIGs over DNSKEY RRset
> RRSIG=43743 and DNSKEY=43743 verifies the DNSKEY RRset
> Zone eu (2600:2000:3004::1) returns NXDOMAIN for testa.eu
and that proves that your setup with no nameservers is stupid because
otherwise you would get "domain not signed" and you are done
https://dnssec-debugger.verisignlabs.com/rhsoft.net
Found 3 DNSKEY records for .
DS=20326/SHA-256 verifies DNSKEY=20326/SEP
DS=19036/SHA-256 verifies DNSKEY=19036/SEP
Found 1 RRSIGs over DNSKEY RRset
RRSIG=19036 and DNSKEY=19036/SEP verifies the DNSKEY RRset
net
Found 1 DS records for net in the . zone
DS=35886/SHA-256 has algorithm RSASHA256
Found 1 RRSIGs over DS RRset
RRSIG=41824 and DNSKEY=41824 verifies the DS RRset
Found 2 DNSKEY records for net
DS=35886/SHA-256 verifies DNSKEY=35886/SEP
Found 1 RRSIGs over DNSKEY RRset
RRSIG=35886 and DNSKEY=35886/SEP verifies the DNSKEY RRset
rhsoft.net
No DS records found for rhsoft.net in the net zone
No DNSKEY records found
rhsoft.net A RR has value 91.118.73.11
No RRSIGs found
More information about the bind-users
mailing list