<div dir="ltr">Please ignore the * in the copy pasted records. It seems the list converts color text to be *TEXT* hehe </div><div class="gmail_extra"><br><div class="gmail_quote">On 31 March 2017 at 00:11, J T <span dir="ltr"><<a href="mailto:jt4websites@gmail.com" target="_blank">jt4websites@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Mark,<div><br></div><div>Thank you for responding. What do you mean by zone apex? </div><div><br></div><div>If we assume one of the domains that fails to be seen as signed is "<a href="http://example.co.uk" target="_blank">example.co.uk</a>" then would the apex be the domain name with no prefixes ?</div><div><br></div><div>I've changed the domain name but this is part of what I have in my signed zone file for one of the zones that fails to be recognised as signed ( after the signing process).</div><div><br></div><div><p style="margin:0px;font-size:11px;line-height:normal;font-family:menlo;color:rgb(0,0,0);background-color:rgba(207,207,207,0.521569)"><span style="font-variant-ligatures:no-common-ligatures"><a href="http://example.co.uk" target="_blank">example.co.uk</a>.<span class="m_3524869782085857115gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>IN<span class="m_3524869782085857115gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>RRSIG<span class="m_3524869782085857115gmail-Apple-tab-span" style="white-space:pre-wrap"> </span></span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(171,30,14)"><b>NSEC</b></span><span style="font-variant-ligatures:no-common-ligatures">3PARAM 7 3 0 20170429213251 20170330213251 39233 <a href="http://example.co.uk" target="_blank">example.co.uk</a>. T1VK1lrlk+4++<wbr>3Nr7WlS3CeJISCPofUuo799 S8wKrLG5UngbzRty1DQ2q6uPkiIVoq<wbr>tuZJdd IklQIZxrCXt1NGSq8yQ4sNodVHMH90<wbr>dvYQtY UkViTVIqX15bcY/<wbr>rLIwOXjrkfz6BB9oavzPZ cuycGR0zd76sgslFJNAZt8hv7XhXxn<wbr>P94Ke7 VkxCsdpIT98WMrk6eBEtL76VTm855O<wbr>2X/lw2 yQdLerE578rZSmOc4K6NKxqeAwVN9k<wbr>tB9DnK ugTJmZVIeF/IPcJzeOpNUHA8QkS/<wbr>dbNqZ5Po 6CIpTzHospp6xHyBJ8V8GK5PSNLtiP<wbr>aIHIkE 0C1LgiBLv7e4Hiejq2ZOrIiJAtMILi<wbr>T95YcT n5LJaQkSsbNlS96nSmyE49iUMM4lWw<wbr>Oji3HG +oLdGdRSwO+1ySyN4XyY2yIfAF+<wbr>8oKsjHLyJ zeMhRqHI3kE0+<wbr>zbtsw7sjQveNzpCxW7reIa+ XlDjX1SkYXucG/<wbr>f7BPxYSBCf4Qf0wZgGFC9h oSPZFNsIpDYJnG3kiwPdXr5dDwKJyh<wbr>X2iBQT jb9omapnn6YBSN0xNnFwBZ5UqBNAku<wbr>OH4jQA CXSQW390CoKPt/<wbr>gCQfdMkEEFd7dgsLeBQI36 ABsH1DQtxFqCjCdGK5gFmeKNGvzJPn<wbr>NlT+++ Xy8VoMXX7xlM4qkSDwRjee8hT3s9Ob<wbr>LxWKI=</span></p></div><div><span style="font-variant-ligatures:no-common-ligatures"><br></span></div><div>and</div><div><br></div><div><p style="margin:0px;font-size:11px;line-height:normal;font-family:menlo;color:rgb(0,0,0);background-color:rgba(207,207,207,0.521569)"><span style="font-variant-ligatures:no-common-ligatures"><a href="http://example.co.uk" target="_blank">example.co.uk</a>. IN DNSKEY 257 3 7 AwEAAbZFkjq1Q+<wbr>7Z67VNF3DkvwZTFFK+sgM+2H+<wbr>xFqkpyeHQoLmsSAWj BoulxcEIVenvY/<wbr>X8fFvHk4yemA0z9DWpVEL9//<wbr>zGtIVInJqRzzVlx7QQ RWDuYqya+<wbr>U6YpzYkYX0DspOyzFFswtMclF0ktmF<wbr>B7XOSEmy70OfJL4Oy p4GI5wT8M26bQmDQ6w+<wbr>UcHUO7M8ciF6qJ5JP68O34BlmUq7gG<wbr>m1DlqVK o1puldx22djX8GqvqhJjPaV5OHOXn4<wbr>C5axR0IXiz9C39t1mjAkfxlHJW kshl+<wbr>ENmdyyI6hw1vOqLHRmGlDQnL2wdvwe<wbr>rYGfLUAAEYx7+n9v+Ubec J83SBt90g5OGyT0JH2BTe5IaQeU8+<wbr>OwQ97P0dRc3yIbGI9e0RSQuE1Zy 0YUHsIiHpTXrr16vBV97FPLzKGxV0i<wbr>7AM15JoSCauUyr0DNA391pxVDd HOeyqpxxV69jNWKcdPV7KJFBSEGI3U<wbr>thp8uzNRepdJolg0qxNZy8n5tx 4sWIGAF2pqLFPZDLPa6yrFazq85Jwh<wbr>YmeqtiR1YXdsxHnR+My714mApl TiUD4EPP2ylbXeKvsOEWU0NwoAXf92<wbr>uaSj9C8hH/JIboPDSk1/Y6uv5l YufyA6f3UFbZPAeqlp2OifE9t0nCqf<wbr>i43Od70qyvPULqo7S7gtpq6nWA fqSDCTGxBwOVthD9</span></p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:menlo;color:rgb(0,0,0);background-color:rgba(207,207,207,0.521569)"><span style="font-variant-ligatures:no-common-ligatures"><a href="http://example.co.uk" target="_blank">example.co.uk</a>. IN DNSKEY 256 3 7 AwEAAcqXsmOpeTwLI6ikMgz8JZWddU<wbr>aKjcX+BpCtbkB9pmngl2JugzoQ iW+<wbr>NGcYgLjKkpPHxsHDPBBbfrFTy0l+<wbr>htYyi6tudAjlNOju+tvMDB4VC 86aC100XcSF/<wbr>h1eSqPxPZz4CjdeBI8x/<wbr>ahbh7bKHILnokb2mK9CLpZ2w j4UbCkXu8Of3WWamU3uAEnQ6Lm1xZ8<wbr>HHxf86S5ev0e+bSm+JTkJVdk12 8iIBu6t9lWpYeSemtxHfLhK0Pm1evn<wbr>HFpr17Sk9/yt5gUZkTd0d9nazT GsUNjbgdyr943K05wAs5EEgqEIp5eI<wbr>9zcJ1QeeXBG+co5grBa6Leq3Pm zcqxwtzuB2VDRKr9P34tT5n5OY2jg+<wbr>B98ERd3TiLJTF+wd5Pa5n+lVXt nkAODvfYv+<wbr>xlEgUqfnIxEfNc7aQKXwWaLBW1Hx25<wbr>aobsXJ+vrdhE+sqd Jbzjr8p+EG8ZS8gJ9c4B+<wbr>snMOYwns7hVAATX/<wbr>3K3XwJUcdGQoynm20iV acDErzZRzHqW+XNtU5EnBjpdzK+<wbr>Lz0wH63yXRIOd09ap6XACkRH1ApNo syOFdEVwEgTJEPvavu6FH6YR6iHmVR<wbr>+YqblSBOCP5jfdIVmHm+MfihJs 3whGNAo9XPFEYg+<wbr>M6vJ8e04zMD17mWL4w/<wbr>lilhLy1CbuzU2Bw1yniFRI P9mvO7K0z/mrPxWn</span></p></div><div><span style="font-variant-ligatures:no-common-ligatures"><br></span></div><div>I compared it with the one of the zones that is recognised as signed and I see the following there:</div><div><br></div><div><p style="margin:0px;font-size:11px;line-height:normal;font-family:menlo;color:rgb(0,0,0);background-color:rgba(207,207,207,0.521569)"><span style="font-variant-ligatures:no-common-ligatures">workingexample.email.<span class="m_3524869782085857115gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>38400<span class="m_3524869782085857115gmail-Apple-tab-span" style="white-space:pre-wrap"> </span></span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(171,30,14)"><b>IN<span class="m_3524869782085857115gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>NSEC</b></span><span style="font-variant-ligatures:no-common-ligatures"><span class="m_3524869782085857115gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>_dmarc.workingexample.email. A NS SOA MX TXT AAAA SSHFP RRSIG NSEC DNSKEY SPF</span></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:menlo;color:rgb(0,0,0);background-color:rgba(207,207,207,0.521569)"><span style="font-variant-ligatures:no-common-ligatures">workingexample.email.<span class="m_3524869782085857115gmail-Apple-tab-span" style="white-space:pre-wrap"> </span></span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(171,30,14)"><b>IN<span class="m_3524869782085857115gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>DNSKEY</b></span><span style="font-variant-ligatures:no-common-ligatures"><span class="m_3524869782085857115gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>257 3 8 AwEAAeLetJzQo74Zi/<wbr>qXJjF4JoF37qu0rXTWQzn7yUC058w7<wbr>6SrPVV4a hZIPI9oBNcWn5yeP6qR/<wbr>bIkBM1OKfP0qGgLRyLAZPdsB36q1Bn<wbr>EfLrbi trZmlGY8+AnUxjpPbEscT/<wbr>g47UJiN9exBs0wAPdwwTRypYwBOVzP<wbr>7cRP TiPf0QlMslMrgd9lpFhFQblj97sZiV<wbr>TZCyJM2FhKo3bdwDpde6fkJV0I Ilrj3X47hJMFwW3UbA+H8UE/<wbr>8jWrhrmSPi5b/uxbMY9qkOeaFm/<wbr>LexC6 tr89pCesYrnIqceQTsvJl7+<wbr>HOB1WNzW4vkC0idzo1kq65Woo8FOvz<wbr>M7x HukCPrlyWvc=</span></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:menlo;color:rgb(0,0,0);background-color:rgba(207,207,207,0.521569)"><span style="font-variant-ligatures:no-common-ligatures">
</span></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:menlo;color:rgb(0,0,0);background-color:rgba(207,207,207,0.521569)"><span style="font-variant-ligatures:no-common-ligatures">workingexample.email.<span class="m_3524869782085857115gmail-Apple-tab-span" style="white-space:pre-wrap"> </span></span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(171,30,14)"><b>IN<span class="m_3524869782085857115gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>DNSKEY</b></span><span style="font-variant-ligatures:no-common-ligatures"><span class="m_3524869782085857115gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>256 3 8 AwEAAbCKGjHIFvhlPpVeReXSDymlwl<wbr>yeHwejRF0vBp7GTdFv2qCRI1Wc 9GDhVuUWmBv9gxynqQgf4K460RMia1<wbr>ElZjOFQUZwB4i/OgvfAedEdjov r+<wbr>G7fHt45FShmR5WLuPOP1EGvJAki18r<wbr>JgZL99PY4bAqq+s7Ut/SCmAs gKsy1WkL0cfEyl4qWPDv5YRbM4NBCZ<wbr>UZfO7nzmjuvIY+rlGEC00=</span></p></div><div><span style="font-variant-ligatures:no-common-ligatures"><br></span></div><div><span style="font-variant-ligatures:no-common-ligatures">So, it would appear that no 'IN NSEC' or 'IN NSEC3PARAM' is being added when the '</span><span style="color:rgb(0,0,0);font-family:menlo;font-size:11px;background-color:rgba(207,207,207,0.521569)"><a href="http://example.co.uk" target="_blank">example.co.uk</a>'</span> is signed.</div><div><br></div><div>As far as I can tell no error was reported during the signing process for <span style="color:rgb(0,0,0);font-family:menlo;font-size:11px;background-color:rgba(207,207,207,0.521569)"><a href="http://example.co.uk" target="_blank">example.co.uk</a></span> - do you have any suggestions as to what might stop the signing tool from adding the 'IN NSEC' or 'IN NSEC3PARAM' records ?</div><div><br></div><div>Jay</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On 30 March 2017 at 23:02, Mark Andrews <span dir="ltr"><<a href="mailto:marka@isc.org" target="_blank">marka@isc.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
In message <CAB=<a href="mailto:ej3rXb-%2BUkwyT8RoURszF70Gi76ksj7Uk6uuvqF5pUG3Dwg@mail.gmail.com" target="_blank">ej3rXb-+UkwyT8RoURszF70Gi<wbr>76ksj7Uk6uuvqF5pUG3Dwg@mail.<wbr>gmail.com</a>>, J T writ<br>
es:<br>
<span>> Hi,<br>
><br>
> I have 5 signed zones ( 2 x .email, 2 x .com and 1 x .<a href="http://co.uk" rel="noreferrer" target="_blank">co.uk</a> ).<br>
><br>
> I used Webmin to do the heavy lifting of signing/resigning etc.<br>
><br>
> Only 2 of the 5 zones are recognised as (DNSSEC Signed) by BIND on<br>
> restart/zone application and that fact is reported in the system logs.<br>
><br>
> I’m trying to work out why 3 are failing to be recognised as Signed.<br>
><br>
> No errors are reported as part of the signing process. The zonefiles<br>
> appear to have loads of DNSSEC related resource records.<br>
><br>
> e.g.<br>
><br>
</span>> - RRSIG (digital signature)<br>
> - DNSKEY (public key)<br>
> - DS (parent-child)<br>
> - NSEC (proof of nonexistence)<br>
> - NSEC3 (proof of nonexistence)<br>
> - NSEC3PARAM (proof of nonexistence)<br>
<span>><br>
> and the parent registrar has had DS records added.<br>
><br>
> As bind is not flagging the zone as signed its not returning RRSIGs in the<br>
> Answer section of a query ( although they are provided in the Additional<br>
> section ).<br>
><br>
> I’m not really sure what the criteria is for bind to decide a zone is<br>
> signed.<br>
<br>
</span>For a zone to be treated as secure (signed) there needs to be a<br>
NSEC record at the zone apex or a NSEC3PARAM record at the zone<br>
apex. There also needs to be a DNSKEY RRset containing a zone key.<br>
<br>
While named is in the process of signing a zone initially these<br>
conditions are not met. The last stage of initial signing is to<br>
add the NSEC record to the apex or to add the NSEC3PARAM record.<br>
<br>
The first stage of going insecure is to remove the NSEC/NSEC3PARAM<br>
record at the zone apex.<br>
<div class="m_3524869782085857115HOEnZb"><div class="m_3524869782085857115h5"><br>
> The same process is being used to sign/resign the 5 zones but only 2 are<br>
> flagged as signed.<br>
><br>
> Any tips on how to debug this would be appreciated.<br>
><br>
> Thanks,<br>
><br>
> Jay<br>
<br>
</div></div><span class="m_3524869782085857115HOEnZb"><font color="#888888">--<br>
Mark Andrews, ISC<br>
1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
PHONE: <a href="tel:%2B61%202%209871%204742" value="+61298714742" target="_blank">+61 2 9871 4742</a> INTERNET: <a href="mailto:marka@isc.org" target="_blank">marka@isc.org</a><br>
</font></span></blockquote></div><br></div>
</div></div></blockquote></div><br></div>