In message <088512ac-625e-4a72-aa90-65c73fb8b...@johani.org>, Johan Ihren
writes:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Mark,
>
> On 12 Jan 2009, at 23:49, Mark Andrews wrote:
>
> >> I realise this just has to be a user error, but sofar I've been
> >> completely unsuccessful in getting an authenticated response from a
> >> 9.6.0 recursive server with trusted keys correctly configured.
> >>
> >> I've done this:
> >>
> >> * Signed the zones:
> >>
> >> "parent" is signed with NSEC semantics, key algorithm is RSASHA1
> >> "child1.parent" is signed with NSEC, key algorithm is RSASHA1
> >> "child2.parent" is signed with NSEC3, key algorithm is NSEC3RSASHA1
> >
> > Did you tell dnssec-signzone to generate NSEC3 chains rather
> > than NSEC chains. NSEC3RSASHA1 allows for both NSEC and
> > NSEC3 chains and dnssec-signzone defaults to NSEC chains.
> >
> > dnssec-signzone -3 salt [-H iterations] [-A] ....
>
> Absolutely, and the signed zone looks fine (except that it is full of
> ugly NSEC3's ;-). This is my dnssec-signzone invocation:
>
> dnssec-signzone -N increment -v 9 -a -A -H 1 -3 "" -o $ZONE $ZONE $ZSK
> $KSK
>
> >> * Created the secure delegations:
> >>
> >> the DS records for child1.parent and child2.parent both use the
> >> correct algorithm numbers (5 and 7 respectively)
> >>
> >> * Configured a trusted key for "parent" in a recursive server:
> >>
> >> The trusted key is correctly configured, because I'm able to validate
> >> positive responses from all three zones (which also proves that the
> >> delegations are correctly secured via the DS records). I'm also able
> >> to validate negative responses from "parent" and "child1.parent".
> >>
> >> And, yes, I have "dnssec-enable yes; dnssec-validation yes;" in
> >> relevant places.
> >>
> >> But I fail to validate the interesting case, i.e. a negative response
> >> from child2.parent containing NSEC3 records as the proof. I get the
> >> response, with all the NSEC3s and their RRSIGs. But no AD bit.
> >>
> >> Anyone done this recently who can give me a suggestion to where I may
> >> go wrong?
NXDOMAIN + OPTOUT -> AD=0
> Johan
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (Darwin)
>
> iD8DBQFJa9hRKJmr+nqSTbYRAuDKAJ4upG/n5lww2yrST29HDzteQX369QCfUqxt
> WcZi55ArpM58re2gtd6reAI=
> =+sNo
> -----END PGP SIGNATURE-----
> _______________________________________________
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
