Inline signing fails dnsviz test - STILL [LONG]
ondrej at isc.org
Sun May 16 07:03:30 UTC 2021
I think Mark jumped on something else, your zone is seriously broken and not because of DNSSEC:
All of these NSes must have the correct zone content and not be broken:
newideatest.site. 3600 IN NS jupiter.eglifamily.name.
newideatest.site. 3600 IN NS uz5qfm8n244kn4qz8mh437w9kzvpudduwyldp5361v9n0vh8sx5ucu.free.ns.buddyns.com.
newideatest.site. 3600 IN NS uz5154v9zl2nswf05td8yzgtd0jl6mvvjp98ut07ln0ydp2bqh1skn.free.ns.buddyns.com.
newideatest.site. 3600 IN NS uz52u1wtmumlrx5fwu6nmv22ntcddxcjjw41z8sfd6ur9n7797lrv9.free.ns.buddyns.com.
newideatest.site. 3600 IN NS uz5w6sb91zt99b73bznfkvtd0j1snxby06gg4hr0p8uum27n0hf6cd.free.ns.buddyns.com.
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
> On 16. 5. 2021, at 8:45, Dan Egli via bind-users <bind-users at lists.isc.org> wrote:
> Upgrade to WHAT? You said it was fixed in 9.11.25, but isn't that a lot OLDER than 9.16.15, which is what I'm running?
> jupiter ~ # named -v
> BIND 9.16.15 (Stable Release) <id:4469e3e>
> jupiter ~ # dig -v
> DiG 9.16.15
>> On 5/16/2021 12:06 AM, Mark Andrews wrote:
>>>> On 16 May 2021, at 10:17, Dan Egli via bind-users <bind-users at lists.isc.org> wrote:
>>> On 5/10/2021 12:38 PM, Tony Finch wrote:
>>>> Dan Egli <dan at newideatest.site>
>>>>> Still not working for me. The dig doesn't report anything, and I don't HAVE a
>>>>> keyfile since i'm using inline signing. Or does inline signing still require a
>>>>> key to be generated?
>>>> Yes, you need to do your own key management with inline-signing using
>>>> dnssec-keygen. The new dnssec-policy feature can do automatic key
>>>> management for you.
>>> So, I updated the settings. Now I have keyfiles generated by bind, as well as a binary .zone.signed in addition to the plain text .zone which has no DNSSEC information at all in it. I ran the signing routine and bind said it was signed good. So I obtained the DS and put in the registrar. Now I am getting SERVFAIL errors whenever I try to query my zone from another name server. Here's what I did:
>>> #dig newideatest.site dnskey | dnssec-dsfromkey -2 -f - newideatest.site
>>> newideatest.site. IN DS 49236 13 2 <LONG HASH>
>>> Ok. Copy the long hash to the Registrar, plug it in. Check, done that.
>>> # dig mx newideatest.site @220.127.116.11
>>> ; <<>> DiG 9.16.15 <<>> mx newideatest.site @18.104.22.168
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 631
>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>> ;; OPT PSEUDOSECTION:
>>> ; EDNS: version: 0, flags:; udp: 512
>>> ;; QUESTION SECTION:
>>> ;newideatest.site. IN MX
>>> ;; Query time: 50 msec
>>> ;; SERVER: 22.214.171.124#53(126.96.36.199)
>>> ;; WHEN: Sat May 15 18:12:44 MDT 2021
>>> ;; MSG SIZE rcvd: 45
>>> ServFail?! WHAT?
>> This is a known bug fixed in BIND 9.11.25. Upgrade. Once the DS is added to .site for
>> newideatest.site the resolution will work.
> Dan Egli
> From my Test Server
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> bind-users mailing list
> bind-users at lists.isc.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users