Inline signing fails dnsviz test.
Dan Egli
dan at newideatest.site
Mon May 10 05:18:40 UTC 2021
I tried to setup inline signing on my DNS server, and after reading the
results from DNSVIZ, i'd say I was PARTIALLY successful, but there still
seems to be a lot missing.
You can check the status on dnsviz yourself with the names
eglifamily.name and newideatest.site. Both resulted in nearly identical
responses, wtih a lot of warning and some errors. A few of those errors
I could blame on my backup DNS provider. You get what you pay for and
they are free. But not everything could be blamed on them.
I've attached a PNG of the output. Hopefully it comes through.
Meanwhile, here's the zone statements from my named.conf:
view "standard" IN {
zone "eglifamily.name" {
type master;
file "pri/eglifamily.zone";
allow-query { any; };
allow-transfer {
108.61.224.67; 116.203.6.3; 107.191.99.111;
185.22.172.112; 103.6.87.125; 192.184.93.99; 119.252.20.56;
31.220.30.73; 185.34.136.178; 185.136.176.247; 45.77.29.133;
116.203.0.64; 167.88.161.228; 199.195.249.208; 104.244.78.122;
2605:6400:30:fd6e::3; 2605:6400:10:65::3; 2605:6400:20:d5e::3;
2a01:4f8:1c0c:8122::3; 2001:19f0:7001:381::3; 2a06:fdc0:fade:2f7::1;
2a00:dcc7:d3ff:88b2::1; 2a04:bdc7:100:1b::3;
2401:1400:1:1201::1:7853:1a5; 2604:180:1:92a::3; 2403:2500:4000::f3e;
2a00:1838:20:2::cd5e:68e9; 2604:180:2:4cf::3; 2a01:4f8:1c0c:8115::3;
2001:19f0:6400:8642::3;
};
// also-notify { 1.2.3.4; }; // none for now
allow-update { trusted; };
key-directory "/var/bind/pri/keys";
auto-dnssec maintain;
inline-signing yes;
};
zone "newideatest.site" {
type master;
file "pri/newideatest.zone";
allow-query { any; };
allow-transfer {
108.61.224.67; 116.203.6.3; 107.191.99.111;
185.22.172.112; 103.6.87.125; 192.184.93.99; 119.252.20.56;
31.220.30.73; 185.34.136.178; 185.136.176.247; 45.77.29.133;
116.203.0.64; 167.88.161.228; 199.195.249.208; 104.244.78.122;
2605:6400:30:fd6e::3; 2605:6400:10:65::3; 2605:6400:20:d5e::3;
2a01:4f8:1c0c:8122::3; 2001:19f0:7001:381::3; 2a06:fdc0:fade:2f7::1;
2a00:dcc7:d3ff:88b2::1; 2a04:bdc7:100:1b::3;
2401:1400:1:1201::1:7853:1a5; 2604:180:1:92a::3; 2403:2500:4000::f3e;
2a00:1838:20:2::cd5e:68e9; 2604:180:2:4cf::3; 2a01:4f8:1c0c:8115::3;
2001:19f0:6400:8642::3;
};
// also-notify { 1.2.3.4; }; // none for now
allow-update { trusted; };
key-directory "/var/bind/pri/keys";
auto-dnssec maintain;
inline-signing yes;
};
--
Dan Egli
From my Test Server
-------------- next part --------------
A non-text attachment was scrubbed...
Name: newideatest.site-2021-05-10-05 11 22-UTC(1).png
Type: image/png
Size: 108257 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210509/40fa0af8/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x11B7451DF2015959.asc
Type: application/pgp-keys
Size: 3792 bytes
Desc: OpenPGP public key
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210509/40fa0af8/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210509/40fa0af8/attachment-0003.bin>
More information about the bind-users
mailing list