Inline signing fails dnsviz test.

Dan Egli dan at newideatest.site
Mon May 10 17:53:25 UTC 2021


They do, and I had forgotten that. But I don't know where to get the DS 
record I'd place. I tried querying bind, but all I got back was 
someone's SOA record:

; <<>> DiG 9.16.12 <<>> @localhost ds eglifamily.name
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62605
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 8761a3c0b39eccab010000006099729d88739143bbe8c230 (good)
;; QUESTION SECTION:
;eglifamily.name.               IN      DS

;; AUTHORITY SECTION:
name.                   10794   IN      SOA     ac1.nstld.com. 
info.verisign-grs.com. 1620669036 1800 900 604800 86400

;; Query time: 10 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon May 10 11:51:25 MDT 2021
;; MSG SIZE  rcvd: 142

Where do I get the DS record, since i'm using bind's inline signing?

On 5/10/2021 3:29 AM, John W. Blue via bind-users wrote:
> Hello Dan.
>
> Does your registrar have the ability via a UI to place a DS record in 
> the .name zone?
>
> And if so, have you done that already?
>
> John
>
> Sent from Nine <http://www.9folders.com/>
> ------------------------------------------------------------------------
> *From:* Dan Egli <dan at newideatest.site>
> *Sent:* Monday, May 10, 2021 12:20 AM
> *To:* bind-users at lists.isc.org
> *Subject:* Inline signing fails dnsviz test.
>
> I tried to setup inline signing on my DNS server, and after reading the
> results from DNSVIZ, i'd say I was PARTIALLY successful, but there still
> seems to be a lot missing.
>
> You can check the status on dnsviz yourself with the names
> eglifamily.name and newideatest.site. Both resulted in nearly identical
> responses, wtih a lot of warning and some errors. A few of those errors
> I could blame on my backup DNS provider. You get what you pay for and
> they are free. But not everything could be blamed on them.
>
> I've attached a PNG of the output. Hopefully it comes through.
> Meanwhile, here's the zone statements from my named.conf:
>
> view "standard" IN {
>          zone "eglifamily.name" {
>                  type master;
>                  file "pri/eglifamily.zone";
>                  allow-query { any; };
>                  allow-transfer {
>                    108.61.224.67; 116.203.6.3; 107.191.99.111;
> 185.22.172.112; 103.6.87.125; 192.184.93.99; 119.252.20.56;
> 31.220.30.73; 185.34.136.178; 185.136.176.247; 45.77.29.133;
> 116.203.0.64; 167.88.161.228; 199.195.249.208; 104.244.78.122;
> 2605:6400:30:fd6e::3; 2605:6400:10:65::3; 2605:6400:20:d5e::3;
> 2a01:4f8:1c0c:8122::3; 2001:19f0:7001:381::3; 2a06:fdc0:fade:2f7::1;
> 2a00:dcc7:d3ff:88b2::1; 2a04:bdc7:100:1b::3;
> 2401:1400:1:1201::1:7853:1a5; 2604:180:1:92a::3; 2403:2500:4000::f3e;
> 2a00:1838:20:2::cd5e:68e9; 2604:180:2:4cf::3; 2a01:4f8:1c0c:8115::3;
> 2001:19f0:6400:8642::3;
>                  };
> //              also-notify { 1.2.3.4; }; // none for now
>                  allow-update { trusted; };
>                  key-directory "/var/bind/pri/keys";
>                  auto-dnssec maintain;
>                  inline-signing yes;
>          };
>
>          zone "newideatest.site" {
>                  type master;
>                  file "pri/newideatest.zone";
>                  allow-query { any; };
>                  allow-transfer {
>                    108.61.224.67; 116.203.6.3; 107.191.99.111;
> 185.22.172.112; 103.6.87.125; 192.184.93.99; 119.252.20.56;
> 31.220.30.73; 185.34.136.178; 185.136.176.247; 45.77.29.133;
> 116.203.0.64; 167.88.161.228; 199.195.249.208; 104.244.78.122;
> 2605:6400:30:fd6e::3; 2605:6400:10:65::3; 2605:6400:20:d5e::3;
> 2a01:4f8:1c0c:8122::3; 2001:19f0:7001:381::3; 2a06:fdc0:fade:2f7::1;
> 2a00:dcc7:d3ff:88b2::1; 2a04:bdc7:100:1b::3;
> 2401:1400:1:1201::1:7853:1a5; 2604:180:1:92a::3; 2403:2500:4000::f3e;
> 2a00:1838:20:2::cd5e:68e9; 2604:180:2:4cf::3; 2a01:4f8:1c0c:8115::3;
> 2001:19f0:6400:8642::3;
>                  };
> //              also-notify { 1.2.3.4; }; // none for now
>                  allow-update { trusted; };
>                  key-directory "/var/bind/pri/keys";
>                  auto-dnssec maintain;
>                  inline-signing yes;
>          };
>
> -- 
>
> Dan Egli
>  From my Test Server
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Dan Egli
 From my Test Server

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210510/221c8848/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x11B7451DF2015959.asc
Type: application/pgp-keys
Size: 3792 bytes
Desc: OpenPGP public key
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210510/221c8848/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210510/221c8848/attachment-0003.bin>


More information about the bind-users mailing list