<div dir="ltr">Hi Mark,<div><br></div><div>I think I found the problem. Seems Webmins code for handling the signing was't dealing with NSEC3PARAM records properly. Essentially when merging the signed records back in to the original host file it was only putting NSEC, NSEC3 and RRSIG. It wasnt handling NSEC3PARAM at all. The zones that were "working" were using a different algorithm and so it didn't mismanage those.</div><div><br></div><div>Sorry for troubling you. However your information did help me locate the problem.</div><div><br></div><div>Thanks</div><div><br></div><div>Jay </div></div><div class="gmail_extra"><br><div class="gmail_quote">On 31 March 2017 at 00:17, J T <span dir="ltr"><<a href="mailto:jt4websites@gmail.com" target="_blank">jt4websites@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Please ignore the * in the copy pasted records. It seems the list converts color text to be *TEXT* hehe </div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On 31 March 2017 at 00:11, J T <span dir="ltr"><<a href="mailto:jt4websites@gmail.com" target="_blank">jt4websites@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Mark,<div><br></div><div>Thank you for responding. What do you mean by zone apex? </div><div><br></div><div>If we assume one of the domains that fails to be seen as signed is "<a href="http://example.co.uk" target="_blank">example.co.uk</a>" then would the apex be the domain name with no prefixes ?</div><div><br></div><div>I've changed the domain name but this is part of what I have in my signed zone file for one of the zones that fails to be recognised as signed ( after the signing process).</div><div><br></div><div><p style="margin:0px;font-size:11px;line-height:normal;font-family:menlo;color:rgb(0,0,0);background-color:rgba(207,207,207,0.521569)"><span style="font-variant-ligatures:no-common-ligatures"><a href="http://example.co.uk" target="_blank">example.co.uk</a>.<span class="m_5807170317622237966m_3524869782085857115gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>IN<span class="m_5807170317622237966m_3524869782085857115gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>RRSIG<span class="m_5807170317622237966m_3524869782085857115gmail-Apple-tab-span" style="white-space:pre-wrap"> </span></span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(171,30,14)"><b>NSEC</b></span><span style="font-variant-ligatures:no-common-ligatures">3PARAM 7 3 0 20170429213251 20170330213251 39233 <a href="http://example.co.uk" target="_blank">example.co.uk</a>. T1VK1lrlk+4++3Nr7WlS3CeJISCPof<wbr>Uuo799 S8wKrLG5UngbzRty1DQ2q6uPkiIVoq<wbr>tuZJdd IklQIZxrCXt1NGSq8yQ4sNodVHMH90<wbr>dvYQtY UkViTVIqX15bcY/rLIwOXjrkfz6BB9<wbr>oavzPZ cuycGR0zd76sgslFJNAZt8hv7XhXxn<wbr>P94Ke7 VkxCsdpIT98WMrk6eBEtL76VTm855O<wbr>2X/lw2 yQdLerE578rZSmOc4K6NKxqeAwVN9k<wbr>tB9DnK ugTJmZVIeF/IPcJzeOpNUHA8QkS/db<wbr>NqZ5Po 6CIpTzHospp6xHyBJ8V8GK5PSNLtiP<wbr>aIHIkE 0C1LgiBLv7e4Hiejq2ZOrIiJAtMILi<wbr>T95YcT n5LJaQkSsbNlS96nSmyE49iUMM4lWw<wbr>Oji3HG +oLdGdRSwO+1ySyN4XyY2yIfAF+8oK<wbr>sjHLyJ zeMhRqHI3kE0+zbtsw7sjQveNzpCxW<wbr>7reIa+ XlDjX1SkYXucG/f7BPxYSBCf4Qf0wZ<wbr>gGFC9h oSPZFNsIpDYJnG3kiwPdXr5dDwKJyh<wbr>X2iBQT jb9omapnn6YBSN0xNnFwBZ5UqBNAku<wbr>OH4jQA CXSQW390CoKPt/gCQfdMkEEFd7dgsL<wbr>eBQI36 ABsH1DQtxFqCjCdGK5gFmeKNGvzJPn<wbr>NlT+++ Xy8VoMXX7xlM4qkSDwRjee8hT3s9Ob<wbr>LxWKI=</span></p></div><div><span style="font-variant-ligatures:no-common-ligatures"><br></span></div><div>and</div><div><br></div><div><p style="margin:0px;font-size:11px;line-height:normal;font-family:menlo;color:rgb(0,0,0);background-color:rgba(207,207,207,0.521569)"><span style="font-variant-ligatures:no-common-ligatures"><a href="http://example.co.uk" target="_blank">example.co.uk</a>. IN DNSKEY 257 3 7 AwEAAbZFkjq1Q+7Z67VNF3DkvwZTFF<wbr>K+sgM+2H+xFqkpyeHQoLmsSAWj BoulxcEIVenvY/X8fFvHk4yemA0z9D<wbr>WpVEL9//zGtIVInJqRzzVlx7QQ RWDuYqya+U6YpzYkYX0DspOyzFFswt<wbr>MclF0ktmFB7XOSEmy70OfJL4Oy p4GI5wT8M26bQmDQ6w+UcHUO7M8ciF<wbr>6qJ5JP68O34BlmUq7gGm1DlqVK o1puldx22djX8GqvqhJjPaV5OHOXn4<wbr>C5axR0IXiz9C39t1mjAkfxlHJW kshl+ENmdyyI6hw1vOqLHRmGlDQnL2<wbr>wdvwerYGfLUAAEYx7+n9v+Ubec J83SBt90g5OGyT0JH2BTe5IaQeU8+O<wbr>wQ97P0dRc3yIbGI9e0RSQuE1Zy 0YUHsIiHpTXrr16vBV97FPLzKGxV0i<wbr>7AM15JoSCauUyr0DNA391pxVDd HOeyqpxxV69jNWKcdPV7KJFBSEGI3U<wbr>thp8uzNRepdJolg0qxNZy8n5tx 4sWIGAF2pqLFPZDLPa6yrFazq85Jwh<wbr>YmeqtiR1YXdsxHnR+My714mApl TiUD4EPP2ylbXeKvsOEWU0NwoAXf92<wbr>uaSj9C8hH/JIboPDSk1/Y6uv5l YufyA6f3UFbZPAeqlp2OifE9t0nCqf<wbr>i43Od70qyvPULqo7S7gtpq6nWA fqSDCTGxBwOVthD9</span></p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:menlo;color:rgb(0,0,0);background-color:rgba(207,207,207,0.521569)"><span style="font-variant-ligatures:no-common-ligatures"><a href="http://example.co.uk" target="_blank">example.co.uk</a>. IN DNSKEY 256 3 7 AwEAAcqXsmOpeTwLI6ikMgz8JZWddU<wbr>aKjcX+BpCtbkB9pmngl2JugzoQ iW+NGcYgLjKkpPHxsHDPBBbfrFTy0l<wbr>+htYyi6tudAjlNOju+tvMDB4VC 86aC100XcSF/h1eSqPxPZz4CjdeBI8<wbr>x/ahbh7bKHILnokb2mK9CLpZ2w j4UbCkXu8Of3WWamU3uAEnQ6Lm1xZ8<wbr>HHxf86S5ev0e+bSm+JTkJVdk12 8iIBu6t9lWpYeSemtxHfLhK0Pm1evn<wbr>HFpr17Sk9/yt5gUZkTd0d9nazT GsUNjbgdyr943K05wAs5EEgqEIp5eI<wbr>9zcJ1QeeXBG+co5grBa6Leq3Pm zcqxwtzuB2VDRKr9P34tT5n5OY2jg+<wbr>B98ERd3TiLJTF+wd5Pa5n+lVXt nkAODvfYv+xlEgUqfnIxEfNc7aQKXw<wbr>WaLBW1Hx25aobsXJ+vrdhE+sqd Jbzjr8p+EG8ZS8gJ9c4B+snMOYwns7<wbr>hVAATX/3K3XwJUcdGQoynm20iV acDErzZRzHqW+XNtU5EnBjpdzK+Lz0<wbr>wH63yXRIOd09ap6XACkRH1ApNo syOFdEVwEgTJEPvavu6FH6YR6iHmVR<wbr>+YqblSBOCP5jfdIVmHm+MfihJs 3whGNAo9XPFEYg+M6vJ8e04zMD17mW<wbr>L4w/lilhLy1CbuzU2Bw1yniFRI P9mvO7K0z/mrPxWn</span></p></div><div><span style="font-variant-ligatures:no-common-ligatures"><br></span></div><div>I compared it with the one of the zones that is recognised as signed and I see the following there:</div><div><br></div><div><p style="margin:0px;font-size:11px;line-height:normal;font-family:menlo;color:rgb(0,0,0);background-color:rgba(207,207,207,0.521569)"><span style="font-variant-ligatures:no-common-ligatures">workingexample.email.<span class="m_5807170317622237966m_3524869782085857115gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>38400<span class="m_5807170317622237966m_3524869782085857115gmail-Apple-tab-span" style="white-space:pre-wrap"> </span></span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(171,30,14)"><b>IN<span class="m_5807170317622237966m_3524869782085857115gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>NSEC</b></span><span style="font-variant-ligatures:no-common-ligatures"><span class="m_5807170317622237966m_3524869782085857115gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>_dmarc.workingexample.email. A NS SOA MX TXT AAAA SSHFP RRSIG NSEC DNSKEY SPF</span></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:menlo;color:rgb(0,0,0);background-color:rgba(207,207,207,0.521569)"><span style="font-variant-ligatures:no-common-ligatures">workingexample.email.<span class="m_5807170317622237966m_3524869782085857115gmail-Apple-tab-span" style="white-space:pre-wrap"> </span></span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(171,30,14)"><b>IN<span class="m_5807170317622237966m_3524869782085857115gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>DNSKEY</b></span><span style="font-variant-ligatures:no-common-ligatures"><span class="m_5807170317622237966m_3524869782085857115gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>257 3 8 AwEAAeLetJzQo74Zi/qXJjF4JoF37q<wbr>u0rXTWQzn7yUC058w76SrPVV4a hZIPI9oBNcWn5yeP6qR/bIkBM1OKfP<wbr>0qGgLRyLAZPdsB36q1BnEfLrbi trZmlGY8+AnUxjpPbEscT/g47UJiN9<wbr>exBs0wAPdwwTRypYwBOVzP7cRP TiPf0QlMslMrgd9lpFhFQblj97sZiV<wbr>TZCyJM2FhKo3bdwDpde6fkJV0I Ilrj3X47hJMFwW3UbA+H8UE/8jWrhr<wbr>mSPi5b/uxbMY9qkOeaFm/LexC6 tr89pCesYrnIqceQTsvJl7+HOB1WNz<wbr>W4vkC0idzo1kq65Woo8FOvzM7x HukCPrlyWvc=</span></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:menlo;color:rgb(0,0,0);background-color:rgba(207,207,207,0.521569)"><span style="font-variant-ligatures:no-common-ligatures">
</span></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:menlo;color:rgb(0,0,0);background-color:rgba(207,207,207,0.521569)"><span style="font-variant-ligatures:no-common-ligatures">workingexample.email.<span class="m_5807170317622237966m_3524869782085857115gmail-Apple-tab-span" style="white-space:pre-wrap"> </span></span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(171,30,14)"><b>IN<span class="m_5807170317622237966m_3524869782085857115gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>DNSKEY</b></span><span style="font-variant-ligatures:no-common-ligatures"><span class="m_5807170317622237966m_3524869782085857115gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>256 3 8 AwEAAbCKGjHIFvhlPpVeReXSDymlwl<wbr>yeHwejRF0vBp7GTdFv2qCRI1Wc 9GDhVuUWmBv9gxynqQgf4K460RMia1<wbr>ElZjOFQUZwB4i/OgvfAedEdjov r+G7fHt45FShmR5WLuPOP1EGvJAki1<wbr>8rJgZL99PY4bAqq+s7Ut/SCmAs gKsy1WkL0cfEyl4qWPDv5YRbM4NBCZ<wbr>UZfO7nzmjuvIY+rlGEC00=</span></p></div><div><span style="font-variant-ligatures:no-common-ligatures"><br></span></div><div><span style="font-variant-ligatures:no-common-ligatures">So, it would appear that no 'IN NSEC' or 'IN NSEC3PARAM' is being added when the '</span><span style="color:rgb(0,0,0);font-family:menlo;font-size:11px;background-color:rgba(207,207,207,0.521569)"><a href="http://example.co.uk" target="_blank">example.co.uk</a>'</span> is signed.</div><div><br></div><div>As far as I can tell no error was reported during the signing process for <span style="color:rgb(0,0,0);font-family:menlo;font-size:11px;background-color:rgba(207,207,207,0.521569)"><a href="http://example.co.uk" target="_blank">example.co.uk</a></span> - do you have any suggestions as to what might stop the signing tool from adding the 'IN NSEC' or 'IN NSEC3PARAM' records ?</div><div><br></div><div>Jay</div></div><div class="m_5807170317622237966HOEnZb"><div class="m_5807170317622237966h5"><div class="gmail_extra"><br><div class="gmail_quote">On 30 March 2017 at 23:02, Mark Andrews <span dir="ltr"><<a href="mailto:marka@isc.org" target="_blank">marka@isc.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
In message <CAB=<a href="mailto:ej3rXb-%2BUkwyT8RoURszF70Gi76ksj7Uk6uuvqF5pUG3Dwg@mail.gmail.com" target="_blank">ej3rXb-+UkwyT8RoURszF70Gi<wbr>76ksj7Uk6uuvqF5pUG3Dwg@mail.gm<wbr>ail.com</a>>, J T writ<br>
es:<br>
<span>> Hi,<br>
><br>
> I have 5 signed zones ( 2 x .email, 2 x .com and 1 x .<a href="http://co.uk" rel="noreferrer" target="_blank">co.uk</a> ).<br>
><br>
> I used Webmin to do the heavy lifting of signing/resigning etc.<br>
><br>
> Only 2 of the 5 zones are recognised as (DNSSEC Signed) by BIND on<br>
> restart/zone application and that fact is reported in the system logs.<br>
><br>
> I’m trying to work out why 3 are failing to be recognised as Signed.<br>
><br>
> No errors are reported as part of the signing process. The zonefiles<br>
> appear to have loads of DNSSEC related resource records.<br>
><br>
> e.g.<br>
><br>
</span>> - RRSIG (digital signature)<br>
> - DNSKEY (public key)<br>
> - DS (parent-child)<br>
> - NSEC (proof of nonexistence)<br>
> - NSEC3 (proof of nonexistence)<br>
> - NSEC3PARAM (proof of nonexistence)<br>
<span>><br>
> and the parent registrar has had DS records added.<br>
><br>
> As bind is not flagging the zone as signed its not returning RRSIGs in the<br>
> Answer section of a query ( although they are provided in the Additional<br>
> section ).<br>
><br>
> I’m not really sure what the criteria is for bind to decide a zone is<br>
> signed.<br>
<br>
</span>For a zone to be treated as secure (signed) there needs to be a<br>
NSEC record at the zone apex or a NSEC3PARAM record at the zone<br>
apex. There also needs to be a DNSKEY RRset containing a zone key.<br>
<br>
While named is in the process of signing a zone initially these<br>
conditions are not met. The last stage of initial signing is to<br>
add the NSEC record to the apex or to add the NSEC3PARAM record.<br>
<br>
The first stage of going insecure is to remove the NSEC/NSEC3PARAM<br>
record at the zone apex.<br>
<div class="m_5807170317622237966m_3524869782085857115HOEnZb"><div class="m_5807170317622237966m_3524869782085857115h5"><br>
> The same process is being used to sign/resign the 5 zones but only 2 are<br>
> flagged as signed.<br>
><br>
> Any tips on how to debug this would be appreciated.<br>
><br>
> Thanks,<br>
><br>
> Jay<br>
<br>
</div></div><span class="m_5807170317622237966m_3524869782085857115HOEnZb"><font color="#888888">--<br>
Mark Andrews, ISC<br>
1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
PHONE: <a href="tel:%2B61%202%209871%204742" value="+61298714742" target="_blank">+61 2 9871 4742</a> INTERNET: <a href="mailto:marka@isc.org" target="_blank">marka@isc.org</a><br>
</font></span></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>