<div dir="ltr"><div><div><div><div><div><div><div>Hi Tony, <br><br></div>I've removed the config for managed keys out of my named.conf, moved any files called bind.keys out from my named working directory, and restarted Bind. I see where Bind created to files - managed-keys.bind and managed-keys.bind.jnl. So, I think I'm on the right track. That said, two things:<br><br></div>1) I am still seeing the "no valid signature found" messages in my bind.log. However, <b><i>*I don't think* </i></b> this is a problem because when I query a hostname against my server that produces one of these errors, it still resolves. for instance, <br><br># root@fccore 07:01:07 0 jobs ~ > delv @x.x.x.x <a href="http://ncentral.teklinks.com">ncentral.teklinks.com</a> A +multiline +rtrace<br>;; fetch: <a href="http://ncentral.teklinks.com/A">ncentral.teklinks.com/A</a><br>;; fetch: <a href="http://teklinks.com/DNSKEY">teklinks.com/DNSKEY</a><br>;; fetch: <a href="http://teklinks.com/DS">teklinks.com/DS</a><br>;; fetch: com/DNSKEY<br>;; fetch: com/DS<br>;; fetch: ./DNSKEY<br>;; fetch: <a href="http://teklinks.com.dlv.isc.org/DLV">teklinks.com.dlv.isc.org/DLV</a><br>;; fetch: <a href="http://dlv.isc.org/DNSKEY">dlv.isc.org/DNSKEY</a><br>;; validating <a href="http://ncentral.teklinks.com/A">ncentral.teklinks.com/A</a>: no valid signature found<br>; unsigned answer<br><a href="http://ncentral.teklinks.com">ncentral.teklinks.com</a>. 2482 IN A 104.245.194.14<br><a href="http://ncentral.teklinks.com">ncentral.teklinks.com</a>. 2482 IN RRSIG A 5 3 43200 (<br> 20180915012340 20180816012340 46266 <a href="http://teklinks.com">teklinks.com</a>.<br> k2Q0WFrwuC8ouvapXp8XIgTznwJ3VS1Ag+b8/8ajSKBe<br> 6qLal+hYqc96WmIfYvz1fkM5Oze+WXZifeohO7ZEwlLn<br> 8RJCXlGEEtgZ6Phr44fBbjHg7wAGxaG0KLw3JNJJVDWq<br> 48/sB7Qftat8Hp1M/56qi6OjI22bbyBA8nYQ03kc84c6<br> MjCBSJfrum78AJXMFD69wXERDz6GCcaLgL3jJlIH9vZg<br> mB5EquQtZmxU/6izQJGqZs3Ht+3NkhcKYnqpRFyHrEmo<br> VPqiuEBmGhVyJJChLpbLvOwFvjTZEaedoMXv5pQ8Ys9d<br> sg4y1gokR+HXkeTKHr8RWayElh8gu5QKoQ== )<br><br><br></div>So, I can see here that it still resolves BUT something fails to validate a signature. Where is the breakdown here? It was able to fetch the DHSKEY for <a href="http://teklinks.com">teklinks.com</a>:<br><br>;; fetch: <a href="http://teklinks.com/DNSKEY">teklinks.com/DNSKEY</a><br><br></div>but not <a href="http://ncentral.teklinks.com">ncentral.teklinks.com</a>:<br><br>;; validating <a href="http://ncentral.teklinks.com/A">ncentral.teklinks.com/A</a>: no valid signature found<br><br></div>Shouldn't this validate? I mean, if <a href="http://teklinks.com">teklinks.com</a> can validate, shouldn't the stub "ncentral" as well, since its in the zonefile? What am I missing here?<br><br><br><br></div>2) There is one other scenario that confuses me. When I test against a URL that's purposely setup to fail dnssec, I get a servfail. <br><br>root@fccore 07:14:57 0 jobs ~ > delv @x.x.x.x <a href="http://www.dnssec-failed.org">www.dnssec-failed.org</a> A +multiline +rtrace<br>;; fetch: <a href="http://www.dnssec-failed.org/A">www.dnssec-failed.org/A</a><br>;; resolution failed: SERVFAIL<br><br></div>So, what's the difference here and with the scenario above in #1? My concern is that our customers will get servfails when they try to access sites like this one. <br><div><br><br><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Aug 23, 2018 at 6:33 AM Tony Finch <<a href="mailto:dot@dotat.at">dot@dotat.at</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">project722 <<a href="mailto:project722@gmail.com" target="_blank">project722@gmail.com</a>> wrote:<br>
><br>
> In my named.conf I changed:<br>
><br>
> dnssec-validation yes;<br>
><br>
> to<br>
><br>
> dnssec-validation auto;<br>
<br>
Good :-)<br>
<br>
Next thing to do is delete all trace of managed-keys or mkeys files or<br>
trusted-keys configuration, then restart `named`. It will automatically<br>
create managed-keys files with the correct contents - it has the current<br>
root KSKs built in, so you don't need the bind.keys file.<br>
<br>
Tony.<br>
-- <br>
f.anthony.n.finch <<a href="mailto:dot@dotat.at" target="_blank">dot@dotat.at</a>> <a href="http://dotat.at/" rel="noreferrer" target="_blank">http://dotat.at/</a><br>
South Fitzroy: Northerly or northeasterly 5 or 6. Slight or moderate.<br>
Occasional drizzle. Good, occasionally poor at first.<br>
</blockquote></div>