DNSSEC and secondary DNS servers
mje at posix.co.za
Sun Sep 9 20:58:59 UTC 2018
(Seems I can't reply directly to the author)
$ dig covisp.net ds
; <<>> DiG 9.11.2-P1 <<>> covisp.net ds
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21696
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
covisp.net. 86352 IN DS 1 7 1
covisp.net. 86352 IN DS 2 7 2
Umm... this initially looks great but something is seriously strange.
The first numerical value after DS should be the Key ID (or Key Tag). I
really doubt that you would (randomly) create two different DNSKEY
records with sequential Key-ID's (Tags) starting from "1"... its usually
a relatively random value between 1 and 2^16
Also as an aside - many people are no longer putting the SHA-1 Digest
type DS record in their parent, just the longer (more secure?) SHA-256
(Digest Type 2) record.
As the root uses Algorithm 8 - many people also use algorithm 8 - you
are using algorithm 7. Algorithm roll-overs are a pain so if you can -
move straight to 8.
I also can not detect a DNSKEY in your zone?
dig covisp.net dnskey +cd
...gives your SOA.
Without the "+cd" (ignore any DNSSEC validation) - I get a SERVFAIL.
Adding DS records into your parent should be the last part of the
process in securing your Zone with DNSSEC.
I really think you need to start over. What are you using to sign your
zone with? Maybe I can help.
Take a look at https://dnssec.co.za
On 09/09/2018 08:59 PM, LuKreme wrote:
> On Sep 8, 2018, at 10:21, Mark Elkins <mje at posix.co.za
> <mailto:mje at posix.co.za>> wrote:
>> Have you DNSSEC Signed your Domain - that is "covisp.net
>> <http://covisp.net>" because I
>> don't see any DS records for it in the "net" zone.
> I think I have everything set now and am hopping the two errors I have
> about validation are a matter of waiting for hover to propagate.
> “None of the 2 DNSKEY records could be validated by any of the 2 DS
> Thanks for all your help. We'll see if I still show this as broken
> My main job is trying to come up with new and innovative and effective
> ways to reject even more mail. I'm up to about 97% now.
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
Mark James ELKINS - Posix Systems - (South) Africa
mje at posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users