Inline signing fails dnsviz test - STILL [LONG]

Dan Egli dan at newideatest.site
Sun May 16 06:44:56 UTC 2021


Upgrade to WHAT? You said it was fixed in 9.11.25, but isn't that a lot 
OLDER than 9.16.15, which is what I'm running?
jupiter ~ # named -v
BIND 9.16.15 (Stable Release) <id:4469e3e>
jupiter ~ # dig -v
DiG 9.16.15


On 5/16/2021 12:06 AM, Mark Andrews wrote:
>
>> On 16 May 2021, at 10:17, Dan Egli via bind-users <bind-users at lists.isc.org> wrote:
>>
>> On 5/10/2021 12:38 PM, Tony Finch wrote:
>>> Dan Egli <dan at newideatest.site>
>>>   wrote:
>>>
>>>> Still not working for me. The dig doesn't report anything, and I don't HAVE a
>>>> keyfile since i'm using inline signing. Or does inline signing still require a
>>>> key to be generated?
>>>>
>>> Yes, you need to do your own key management with inline-signing using
>>> dnssec-keygen. The new dnssec-policy feature can do automatic key
>>> management for you.
>>>
>>> Tony.
>>>
>> So, I updated the settings. Now I have keyfiles generated by bind, as well as a binary .zone.signed in addition to the plain text .zone which has no DNSSEC information at all in it. I ran the signing routine and bind said it was signed good. So I obtained the DS and put in the registrar. Now I am getting SERVFAIL errors whenever I try to query my zone from another name server. Here's what I did:
>>
>> #dig newideatest.site dnskey | dnssec-dsfromkey -2 -f - newideatest.site
>> newideatest.site. IN DS 49236 13 2 <LONG HASH>
>>
>> Ok. Copy the long hash to the Registrar, plug it in. Check, done that.
>>
>>   # dig mx newideatest.site @8.8.4.4
>>
>> ; <<>> DiG 9.16.15 <<>> mx newideatest.site @8.8.4.4
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 631
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 512
>> ;; QUESTION SECTION:
>> ;newideatest.site.              IN      MX
>>
>> ;; Query time: 50 msec
>> ;; SERVER: 8.8.4.4#53(8.8.4.4)
>> ;; WHEN: Sat May 15 18:12:44 MDT 2021
>> ;; MSG SIZE  rcvd: 45
>> ServFail?! WHAT?
> This is a known bug fixed in BIND 9.11.25.  Upgrade.  Once the DS is added to .site for
> newideatest.site the resolution will work.
>    

-- 
Dan Egli
 From my Test Server

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x11B7451DF2015959.asc
Type: application/pgp-keys
Size: 3792 bytes
Desc: OpenPGP public key
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210516/223a8c4d/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210516/223a8c4d/attachment-0001.bin>


More information about the bind-users mailing list