DNSSEC and secondary DNS servers

Mark Elkins mje at posix.co.za
Sun Sep 9 20:58:59 UTC 2018 

(Seems I can't reply directly to the author)

$ dig covisp.net ds
; <<>> DiG 9.11.2-P1 <<>> covisp.net ds
...
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21696
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
...
;; ANSWER SECTION:
covisp.net.        86352    IN    DS    1 7 1
E59B549EC68D577C44A4E13542257CA44FE21970
covisp.net.        86352    IN    DS    2 7 2
051033AF1BC909BE73FCFE4B59B1BDD2B8D7F8BF7BD840174AC1DEF7 14895D02

Umm... this initially looks great but something is seriously strange.
The first numerical value after DS should be the Key ID (or Key Tag). I
really doubt that you would (randomly) create two different DNSKEY
records with sequential Key-ID's (Tags) starting from "1"... its usually
a relatively random value between 1 and 2^16

Also as an aside - many people are no longer putting the SHA-1 Digest
type DS record in their parent, just the longer (more secure?) SHA-256
(Digest Type 2) record.

As the root uses Algorithm 8 - many people also use algorithm 8 - you
are using algorithm 7. Algorithm roll-overs are a pain so if you can -
move straight to 8.

I also can not detect a DNSKEY in your zone?
dig covisp.net dnskey +cd
...gives your SOA.
Without the "+cd" (ignore any DNSSEC validation) - I get a SERVFAIL.

Adding DS records into your parent should be the last part of the
process in securing your Zone with DNSSEC.

I really think you need to start over. What are you using to sign your
zone with? Maybe I can help.
Take a look at https://dnssec.co.za

On 09/09/2018 08:59 PM, LuKreme wrote:
> On Sep 8, 2018, at 10:21, Mark Elkins <mje at posix.co.za
> <mailto:mje at posix.co.za>> wrote:
>> Have you DNSSEC Signed your Domain - that is "covisp.net
>> <http://covisp.net>" because I
>> don't see any DS records for it in the "net" zone.
>
> I think I have everything set now and am hopping the two errors I have
> about validation are a matter of waiting for hover to propagate.
>
> “None of the 2 DNSKEY records could be validated by any of the 2 DS
> records”
>
> Thanks for all your help. We'll see if I still show this as broken
> tomorrow.
>
> -- 
> My main job is trying to come up with new and innovative and effective
> ways to reject even more mail. I'm up to about 97% now.
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180909/6848d14d/attachment.html>

More information about the bind-users mailing list