<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-forward-container">
<p>Dear All,</p>
<p>In the past three days I have just made our domain DNSSEC
signed. However, I seem to be missing something.</p>
<p>When I query other DNS servers, like CloudFlare 1.0.0.1, I get
the "ad" flag.</p>
<p>But in my own domain, and my own domain servers, the "ad" flag
is still missing:</p>
<p>root@domac:/var/cache/bind# dig -u @161.53.235.3 domac.alu.hr a
+dnssec +multiline<br>
<br>
<font face="monospace">; <<>> DiG
9.11.5-P4-5.1+deb10u7-Debian <<>> -u @161.53.235.3
domac.alu.hr a +dnssec +multiline<br>
; (1 server found)<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id: 5934<br>
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0,
ADDITIONAL: 1<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags: do; udp: 1232<br>
; COOKIE: 172503ebbe7de24201000000628512077e46d89b4369e3dd
(good)<br>
;; QUESTION SECTION:<br>
;domac.alu.hr. IN A<br>
<br>
;; ANSWER SECTION:<br>
domac.alu.hr. 86400 IN A 161.53.235.3<br>
domac.alu.hr. 86400 IN RRSIG A 8 3 86400 (<br>
20220615102400 20220516102400
46119 alu.hr.<br>
tHS58DiuHm0BTCbpyR7k9G9YRtl0iG03Sl5YBK55tBQF<br>
MqR5Bdk9t0Gz8HTFvqYd2kO7jHVRP5hBsMpETXo1PTWa<br>
FYq5WAd4NW+qNJg2giVp04ZC0agS+rPaCQZgeUXuneUk<br>
5wle1qc5GF+R3E8rheTioWPJLw+L2V/n39LYOlQ= )<br>
<br>
;; Query time: 189 usec<br>
;; SERVER: 161.53.235.3#53(161.53.235.3)<br>
;; WHEN: Wed May 18 17:34:31 CEST 2022<br>
;; MSG SIZE rcvd: 251<br>
<br>
root@domac:/var/cache/bind#<br>
</font></p>
<p>Can you please help?</p>
<p>Thank you very much.<br>
</p>
<p>Kind regards,<br>
Mirsad<br>
</p>
<div class="moz-cite-prefix">On 5/18/2022 4:14 PM, Mirsad Goran
Todorovac wrote:<br>
</div>
<blockquote type="cite"
cite="mid:8f80eb65-1085-6388-b051-d2b327c2f636@alu.hr">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<p>Dear Sir or Madam,</p>
<p>According to this article: <a moz-do-not-send="true"
href="https://www.cloudflare.com/dns/dnssec/how-dnssec-works/"
class="moz-txt-link-freetext">https://www.cloudflare.com/dns/dnssec/how-dnssec-works/</a>
,<br>
I did everything right by following the APNIC article for
manual signing procedure. And uploaded<br>
DS record made of zone KSK hash to the parent domain's
registrar.carnet.hr :</p>
<p>root@domac:/etc/bind/keys# dig @localhost dnskey alu.hr |
dnssec-dsfromkey -f - alu.hr<br>
alu.hr. IN DS 34042 8 2
FD6D9A51ABB63FFDF8B2205AA8529D32CB1121D8342D5929481567D5885BBF08<br>
root@domac:/etc/bind/keys# host -t ds alu.hr<br>
alu.hr has DS record 34042 8 2
FD6D9A51ABB63FFDF8B2205AA8529D32CB1121D8342D5929481567D5
885BBF08<br>
root@domac:/etc/bind/keys#</p>
<p>The BIND version we use is 9.16.27, latest backport on Debian
buster:</p>
<p><font face="monospace">root@domac:/etc/bind/keys# dpkg -l |
grep bind9 | grep 9.16<br>
ii bind9
1:9.16.27-1~deb11u1~bpo10+1
amd64 Internet Domain Name Server<br>
ii bind9-libs:amd64
1:9.16.27-1~deb11u1~bpo10+1
amd64 Shared Libraries used by BIND 9<br>
ii bind9-utils
1:9.16.27-1~deb11u1~bpo10+1
amd64 Utilities for BIND 9<br>
ii bind9utils
1:9.16.27-1~deb11u1~bpo10+1
all Transitional package for bind9-utils<br>
</font></p>
<p>However, for some reason the validation doesn't give me the
"ad" authenticated data flag in dig queries.</p>
<p>There must be something I'm missing.</p>
<p>I would be grateful for any help.</p>
<p>P.S.</p>
<p>I withdraw my question. Now it automagically started working
(the "ad" flag appeared):</p>
<p><font face="monospace">root@magrf:~# dig @127.0.0.1
domac.alu.hr +dnssec +multiline<br>
<br>
; <<>> DiG 9.16.27-Debian <<>>
@127.0.0.1 domac.alu.hr +dnssec +multiline<br>
; (1 server found)<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id: 55024<br>
;; flags: qr rd ra <b><font color="#ff0000">ad</font></b>;
QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags: do; udp: 1232<br>
; COOKIE: ac834aa33f88f006010000006284fdf6c5738a0b6f9bde2b
(good)<br>
;; QUESTION SECTION:<br>
;domac.alu.hr. IN A<br>
<br>
;; ANSWER SECTION:<br>
domac.alu.hr. 86400 IN A 161.53.235.3<br>
domac.alu.hr. 86400 IN RRSIG A 8 3 86400 (<br>
20220615102400
20220516102400 46119 alu.hr.<br>
tHS58DiuHm0BTCbpyR7k9G9YRtl0iG03Sl5YBK55tBQF<br>
MqR5Bdk9t0Gz8HTFvqYd2kO7jHVRP5hBsMpETXo1PTWa<br>
FYq5WAd4NW+qNJg2giVp04ZC0agS+rPaCQZgeUXuneUk<br>
5wle1qc5GF+R3E8rheTioWPJLw+L2V/n39LYOlQ= )<br>
<br>
;; Query time: 39 msec<br>
;; SERVER: 127.0.0.1#53(127.0.0.1)<br>
;; WHEN: Wed May 18 16:08:54 CEST 2022<br>
;; MSG SIZE rcvd: 251<br>
<br>
root@magrf:~#<br>
</font><br>
Thank you for any help. At least I was motivated to do more
homework.<br>
I believe there is a future for DNSSEC, much like nowadays we
do not have too many<br>
legacy sites that request password without HTTPS. I guess now
our domain won't be<br>
easily spoofed :-)</p>
<p>The next step is to make the subzone delegation and automatic
DS record upload to<br>
the main zone, for maintaining half a dozen of DS delegations
might become infeasible<br>
if the KSK expires every couple of months :-/</p>
<p>Thank you for your time reading this. You are patient if you
came this far.<br>
</p>
<p>Kind regards,<br>
Mirsad Todorovac<br>
</p>
<div class="moz-cite-prefix">On 5/18/2022 11:52 AM, Mirsad Goran
Todorovac wrote:<br>
</div>
<blockquote type="cite"
cite="mid:d45643f8-3b9c-82b7-6cb2-a93b145dac25@alu.hr">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
<p>Dear Sir or Madam,</p>
<p>I have tried to implement an instance of DNSSEC signed DNS
zone at our Academy's server.</p>
<p>Though we apparently got away without anything
catastrophic, the DNSSEC apparently doesn't<br>
work, despite doing everything like in the tutorial:</p>
<p><a moz-do-not-send="true"
href="https://blog.apnic.net/2019/05/23/how-to-deploying-dnssec-with-bind-and-ubuntu-server/"
class="moz-txt-link-freetext">https://blog.apnic.net/2019/05/23/how-to-deploying-dnssec-with-bind-and-ubuntu-server/</a></p>
<p>I recall getting help here with dynamic ISC DHCP-updated
reverse zone lookup for sub/24 rev zone.<br>
And it is a gift that keeps on giving :)</p>
<p>Now, to provide as much info as possible, the output of<font
face="monospace"><br>
# dig @efk.alu.hr alu.hr. AXFR +multiline +onesoa<br>
</font>is attached.</p>
<p><font face="monospace">root@domac:~# host -t ds alu.hr<br>
alu.hr has DS record 34042 8 2
FD6D9A51ABB63FFDF8B2205AA8529D32CB1121D8342D5929481567D5
885BBF08<br>
root@domac:~#<br>
</font></p>
<p>DS record came as the result of the command from the
tutorial:</p>
<p><font face="monospace"># dig @localhost dnskey alu.hr |
dnssec-dsfromkey -f - alu.hr<br>
alu.hr. IN DS 34042 8 2
FD6D9A51ABB63FFDF8B2205AA8529D32CB1121D8342D5929481567D5885BBF08<br>
</font></p>
<p>I am doing the reading of the documentation on kb.isc.org
and elsewhere, but it would be good to have some<br>
immediate result as well, at least to make the static zones
running signed.</p>
<p>Step two would be the dynamically updated zone.</p>
<p>I am otherwise thrilled how much better BIND9 is when
compared to the Windows Server 2016 DNS server.</p>
<p>Though, so many features look as well a bit scary, for it
is trivial to shoot oneself in his own leg ...</p>
<p>Please, any help would be welcome.</p>
<p>Apparently, the record in DS iz the KSK key 34042, while in
other records like domac.alu.hr, they are referenced<br>
with the ZSK key 46119. Is that normal?</p>
<p>From RFC 3658, <a class="moz-txt-link-freetext"
href="https://datatracker.ietf.org/doc/html/rfc3658#section-2.1"
moz-do-not-send="true">https://datatracker.ietf.org/doc/html/rfc3658#section-2.1</a><br>
</p>
<pre class="newpage"> Even though DS identifies two roles for KEYs, Key Signing Key (KSK)
and Zone Signing Key (ZSK), there is no requirement that zone uses
two different keys for these roles. It is expected that many small
zones will only use one key, while larger zones will be more likely
to use multiple keys.
It is not quite clear to me what went wrong. I am completely new to DNSSEC, despite it being
around since about 1999 or 2006.
The output of dig command doesn't show the "ad" (authenticated data) flag:
root@domac:/etc/bind/keys# dig @127.0.0.1 domac.alu.hr +dnssec +multiline
; <<>> DiG 9.11.5-P4-5.1+deb10u7-Debian <<>> @127.0.0.1 domac.alu.hr +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 239
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: c4a4792d65d3fbb7010000006284c0b0bd75890e0cf18dca (good)
;; QUESTION SECTION:
;domac.alu.hr. IN A
;; ANSWER SECTION:
domac.alu.hr. 86400 IN A 161.53.235.3
domac.alu.hr. 86400 IN RRSIG A 8 3 86400 (
20220615102400 20220516102400 46119 alu.hr.
tHS58DiuHm0BTCbpyR7k9G9YRtl0iG03Sl5YBK55tBQF
MqR5Bdk9t0Gz8HTFvqYd2kO7jHVRP5hBsMpETXo1PTWa
FYq5WAd4NW+qNJg2giVp04ZC0agS+rPaCQZgeUXuneUk
5wle1qc5GF+R3E8rheTioWPJLw+L2V/n39LYOlQ= )
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed May 18 11:47:28 CEST 2022
;; MSG SIZE rcvd: 251
root@domac:/etc/bind/keys#
Thank you very much for your help.
I have now received the confirmation that it wasn't DNSSEC that caused yesterday's outage
and that it only only on a couple of blocked accounts, so I am enthusiastic to make this
work.
Eventually, I would migrate to BIND9.16 automatically signed zones and rollout of keys,
once the basic stuff starts to work.
Best regards,
Mirsad Todorovac
</pre>
<pre class="moz-signature" cols="72">--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355</pre>
</div>
</body>
</html>