-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Mark,
On 12 Jan 2009, at 23:49, Mark Andrews wrote:
I realise this just has to be a user error, but sofar I've been completely unsuccessful in getting an authenticated response from a 9.6.0 recursive server with trusted keys correctly configured. I've done this: * Signed the zones: "parent" is signed with NSEC semantics, key algorithm is RSASHA1 "child1.parent" is signed with NSEC, key algorithm is RSASHA1 "child2.parent" is signed with NSEC3, key algorithm is NSEC3RSASHA1Did you tell dnssec-signzone to generate NSEC3 chains rather than NSEC chains. NSEC3RSASHA1 allows for both NSEC and NSEC3 chains and dnssec-signzone defaults to NSEC chains. dnssec-signzone -3 salt [-H iterations] [-A] ....
Absolutely, and the signed zone looks fine (except that it is full of ugly NSEC3's ;-). This is my dnssec-signzone invocation:
dnssec-signzone -N increment -v 9 -a -A -H 1 -3 "" -o $ZONE $ZONE $ZSK $KSK
* Created the secure delegations: the DS records for child1.parent and child2.parent both use the correct algorithm numbers (5 and 7 respectively) * Configured a trusted key for "parent" in a recursive server: The trusted key is correctly configured, because I'm able to validate positive responses from all three zones (which also proves that the delegations are correctly secured via the DS records). I'm also able to validate negative responses from "parent" and "child1.parent". And, yes, I have "dnssec-enable yes; dnssec-validation yes;" in relevant places. But I fail to validate the interesting case, i.e. a negative response from child2.parent containing NSEC3 records as the proof. I get the response, with all the NSEC3s and their RRSIGs. But no AD bit. Anyone done this recently who can give me a suggestion to where I may go wrong?
Johan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFJa9hRKJmr+nqSTbYRAuDKAJ4upG/n5lww2yrST29HDzteQX369QCfUqxt WcZi55ArpM58re2gtd6reAI= =+sNo -----END PGP SIGNATURE----- _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
