dnnsec ipv6 reverse zone configuration

Michael Martinell michael.martinell at itccoop.com
Wed Oct 30 13:31:30 UTC 2024 

Hello, hoping somebody might have some insight into the errors I am seeing on ipv6 dnssec records.

I am just starting to roll out dnssec on my reverse zones and have started with IPv6 on the record that contains just our ns2.itctel.com and dns2.itctel.com records. Our IPv4 forward zones are working fine and without error. This is our first reverse zone. I am currently using the same policy as the forward zone, but if necessary can create a separate policy for the reverse zone.

When I query https://dnssec-debugger.verisignlabs.com/3.0.0.0.0.9.0.0.6.d.7.0.6.2.ip6.arpa it looks like the 0.0.6.d.7.0.6.2.ip6.arpa section  is having issues with DNSKEY; however, the sections both above and below that section successfully returns green checkmarks.
Do I need to separate out all of the smaller sections below into their own zones? My full zone of 3.0.0.0.0.9.0.0.6.d.7.0.6.2.ip6.arpa is successful, but the smaller portions are failing.
I get these successful messages:
                Found 1 DS records for 0.0.6.d.7.0.6.2.ip6.arpa in the 0.6.2.ip6.arpa zone
                DS=3283/SHA-256 has algorithm ECDSAP256SHA256
                Found 1 RRSIGs over DS RRset
                RRSIG=42693 and DNSKEY=42693 verifies the DS RRset
Then I see errors at the dnssec-debugger: (in the 0.0.6.d.7.0.6.2.ip6.arpa section)
ns2.itctel.com returns REFUSED for 0.0.6.d.7.0.6.2.ip6.arpa/DNSKEY
ns1.itctel.com returns REFUSED for 0.0.6.d.7.0.6.2.ip6.arpa/DNSKEY
Failed to get DNSKEY RR set for zone 0.0.6.d.7.0.6.2.ip6.arpa
ns2.itctel.com returns REFUSED for 9.0.0.6.d.7.0.6.2.ip6.arpa/DNSKEY
ns1.itctel.com returns REFUSED for 9.0.0.6.d.7.0.6.2.ip6.arpa/DNSKEY
ns1.itctel.com returns REFUSED for 0.9.0.0.6.d.7.0.6.2.ip6.arpa/DNSKEY
ns2.itctel.com returns REFUSED for 0.9.0.0.6.d.7.0.6.2.ip6.arpa/DNSKEY
ns1.itctel.com returns REFUSED for 0.0.9.0.0.6.d.7.0.6.2.ip6.arpa/DNSKEY
ns2.itctel.com returns REFUSED for 0.0.9.0.0.6.d.7.0.6.2.ip6.arpa/DNSKEY
ns2.itctel.com returns REFUSED for 0.0.0.9.0.0.6.d.7.0.6.2.ip6.arpa/DNSKEY
ns1.itctel.com returns REFUSED for 0.0.0.9.0.0.6.d.7.0.6.2.ip6.arpa/DNSKEY
ns2.itctel.com returns REFUSED for 0.0.0.0.9.0.0.6.d.7.0.6.2.ip6.arpa/DNSKEY
ns1.itctel.com returns REFUSED for 0.0.0.0.9.0.0.6.d.7.0.6.2.ip6.arpa/DNSKEY
No DS records found for 3.0.0.0.0.9.0.0.6.d.7.0.6.2.ip6.arpa in the 0.0.6.d.7.0.6.2.ip6.arpa zone
Then the next section is a success again
                Found 2 DNSKEY records for 3.0.0.0.0.9.0.0.6.d.7.0.6.2.ip6.arpa
                Found 1 RRSIGs over DNSKEY RRset


DIG successfully returns without error
dig +dnssec 3.0.0.0.0.9.0.0.6.d.7.0.6.2.ip6.arpa DNSKEY @ns1.itctel.com

; <<>> DiG 9.11.9 <<>> +dnssec 3.0.0.0.0.9.0.0.6.d.7.0.6.2.ip6.arpa DNSKEY @ns1.itctel.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33233
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 256f28637718668401000000671f8f58815467759394f32c (good)
;; QUESTION SECTION:
;3.0.0.0.0.9.0.0.6.d.7.0.6.2.ip6.arpa. IN DNSKEY

;; ANSWER SECTION:
3.0.0.0.0.9.0.0.6.d.7.0.6.2.ip6.arpa. 3600 IN DNSKEY 256 3 13 BCg6PxA7axei2rIO9i7nKcmLR+atxJrNILLYOhxqQjJPHNgB66Llms9G VsHVouZNj2F9FN8r/1yqeGIPaTwwJA==
3.0.0.0.0.9.0.0.6.d.7.0.6.2.ip6.arpa. 3600 IN DNSKEY 257 3 13 HuSoT3TZwpQphIZOauDjS72tSNZPLMWho9IhgB05xMiRgtTeMi87n+el 2ZAKkwDMkPvdWMIWEdCp1Vh48CyhwQ==
3.0.0.0.0.9.0.0.6.d.7.0.6.2.ip6.arpa. 3600 IN RRSIG DNSKEY 13 16 3600 20241107184719 20241024174719 14995 3.0.0.0.0.9.0.0.6.d.7.0.6.2.ip6.arpa. 0MCAIJnPjB/wvq47z7xcY5xejdNOGIRWFL+TYo+kqK1tU1DcUboUZc3b Bkyeaq5g64DiBgJzHwVZuDUtR/l24A==

;; Query time: 2 msec
;; SERVER: 75.102.161.234#53(75.102.161.234)
;; WHEN: Mon Oct 28 08:19:20 CDT 2024
;; MSG SIZE  rcvd: 385

I did register the DS record for this block of IPs that matches the zone with ARIN last week.

Network solutions still does not support AAAA glue records for nameservers, so I am unable to add those.

My configuration is very simple and pretty much follows the bind documentation.

Running BIND 9.18.30

DNSSEC Policy
dnssec-policy "itc-no-rotate" {
        keys {
                ksk key-directory lifetime unlimited algorithm 13;
                zsk key-directory lifetime unlimited algorithm 13;
        };
        nsec3param;
};


Zome record for this zone
zone "3.0.0.0.0.9.0.0.6.d.7.0.6.2.ip6.arpa" in {
        type master;
        file "reverse/2607.d600.9000.300.rev";
dnssec-policy itc-no-rotate;
inline-signing yes;
};

Any idea on what I need to do to resolve this issue?



Michael Martinell
Network/Broadband Technician

Interstate Telecommunications Coop., Inc.
312 4th Street West * Clear Lake, SD 57226
Phone: (605) 874-8313
michael.martinell at itccoop.com
www.itc-web.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20241030/460f1c43/attachment.htm>

More information about the bind-users mailing list