it is 6 months since I used no worries dlv
Le jeudi 24 mars 2011 à 23:21 +0100, fakessh @ a écrit : > everything worked just fine until I change the key rdnc. ns in my side > and only ns1.novacrea.fr ns1.xname.org are valid for dnssec > > > Le jeudi 24 mars 2011 à 23:02 +0100, fakessh @ a écrit : > > Le vendredi 25 mars 2011 à 08:24 +1100, Mark Andrews a écrit : > > > In message <1300993213.12273.96.camel@localhost.localdomain>, "fakessh @" > > > write > > > s: > > > > hi bind //guru/ > > > > hi isc guru > > > > hi mark andrews > > > > hi michel graff > > > > > > There are no DLV records for fakessh.eu. See below. > > > > > > There are no DS records for fakessh.eu. See below. > > > > > > > > > > > necessarily because I can not validate the key through via isc dlv > > > > > > > > > > > > > > > Two of the nameservers for your zone are not DNSSEC enabled. They > > > do NOT return RRSIG records when asked for the DNSKEY records with > > > DO=1. See below. > > > > > > You need to address these issues. > > > > > > Mark > > > > > > % dig fakessh.eu.dlv.isc.org dlv > > > > > > ; <<>> DiG 9.6.0-APPLE-P2 <<>> fakessh.eu.dlv.isc.org dlv > > > ;; global options: +cmd > > > ;; Got answer: > > > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21760 > > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > > > > > ;; QUESTION SECTION: > > > ;fakessh.eu.dlv.isc.org. IN DLV > > > > > > ;; AUTHORITY SECTION: > > > dlv.isc.org. 2793 IN SOA ns-int.isc.org. > > > hostmaster.isc.org. 2011032404 7200 3600 2419200 3600 > > > > > > ;; Query time: 3 msec > > > ;; SERVER: 127.0.0.1#53(127.0.0.1) > > > ;; WHEN: Fri Mar 25 08:10:56 2011 > > > ;; MSG SIZE rcvd: 94 > > > > > > % dig ds fakessh.eu > > > > > > ; <<>> DiG 9.6.0-APPLE-P2 <<>> ds fakessh.eu > > > ;; global options: +cmd > > > ;; Got answer: > > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20600 > > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > > > > > ;; QUESTION SECTION: > > > ;fakessh.eu. IN DS > > > > > > ;; AUTHORITY SECTION: > > > eu. 600 IN SOA a.nic.eu. > > > tech.eurid.eu. 1003425849 3600 1800 3600000 600 > > > > > > ;; Query time: 930 msec > > > ;; SERVER: 127.0.0.1#53(127.0.0.1) > > > ;; WHEN: Fri Mar 25 08:13:44 2011 > > > ;; MSG SIZE rcvd: 81 > > > > > > % dig +dnssec dnskey fakessh.eu @ns0.xname.org > > > > > > ; <<>> DiG 9.6.0-APPLE-P2 <<>> +dnssec dnskey fakessh.eu @ns0.xname.org > > > ;; global options: +cmd > > > ;; Got answer: > > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11804 > > > ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 6 > > > ;; WARNING: recursion requested but not available > > > > > > ;; OPT PSEUDOSECTION: > > > ; EDNS: version: 0, flags: do; udp: 4096 > > > ;; QUESTION SECTION: > > > ;fakessh.eu. IN DNSKEY > > > > > > ;; ANSWER SECTION: > > > fakessh.eu. 38400 IN DNSKEY 256 3 5 > > > AwEAAeFYV9JtqoHqpU8vpl+wMFOQjt77N5XgUcove5Apmjwqsx/awcbN > > > Q2+H3hqeJ9f8NRSDUamSLFmvuUJTbDLDxpw9AlNjZNXQysxaQ//lNXKR > > > P2nfrbqMvNnerzdPQ1eF2RqMf5XuOFv6+4UFz/rykszQcK6kH4qIWQ89 > > > Ibk4eXc249MP31vUlgf3tiHyWyqQtD2JJpHY3HwDOYHhKR0Rilk= > > > fakessh.eu. 38400 IN DNSKEY 257 3 5 > > > AwEAAbj75OmR1A8gs1lda3OYTKaY+dy4jVBmflEk/c8g/JDw6UvAqWMz > > > 9KtNIZvGt9E8JMSfaH6VZLY0mWFfCkn7o38= > > > > > > ;; AUTHORITY SECTION: > > > fakessh.eu. 38400 IN NS r13151.ovh.net. > > > fakessh.eu. 38400 IN NS ns0.xname.org. > > > fakessh.eu. 38400 IN NS ns1.xname.org. > > > fakessh.eu. 38400 IN NS ns1.novacrea.fr. > > > fakessh.eu. 38400 IN NS ns2.xname.org. > > > > > > ;; ADDITIONAL SECTION: > > > ns0.xname.org. 600 IN A 195.234.42.1 > > > ns1.xname.org. 600 IN A 87.98.164.164 > > > ns1.novacrea.fr. 55352 IN A 94.23.59.30 > > > ns2.xname.org. 600 IN A 88.191.64.64 > > > ns2.xname.org. 600 IN AAAA > > > 2a01:e0b:1:64:240:63ff:fee8:6155 > > > > > > ;; Query time: 391 msec > > > ;; SERVER: 195.234.42.1#53(195.234.42.1) > > > ;; WHEN: Fri Mar 25 08:19:34 2011 > > > ;; MSG SIZE rcvd: 515 > > > > > > % > > > > > > > despite my efforts to validate isc dlv. I'm always at the same point I > > > > can not validate the keys. error below the script isc > > > > > > > > SUCCESS 94.23.59.30 answered DNSKEY query with rcode NOERROR > > > > 3.345:SUCCESS 87.98.186.232 answered DNSKEY query with rcode NOERROR > > > > 3.345:SUCCESS 87.98.164.164 answered DNSKEY query with rcode NOERROR > > > > 3.345:INFO Total answers: 3 > > > > 3.346:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.186.232 > > > > 3.347:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.164.164 > > > > 3.347:SUCCESS All DNSKEY responses are identical. > > > > 3.353:DEBUG VERIFY-DNSKEY: Checking tag=3D41931 flags=3D256 > > > > alg=3DRSASHA1 > > > > AwEAAbjq...Na0iXShQfc=3D > > > > 3.353:DEBUG VERIFY-DNSKEY: Ignoring key. > > > > 3.353:DEBUG VERIFY-DNSKEY: Checking tag=3D27979 flags=3D257 > > > > alg=3DRSASHA1 > > > > AwEAAcNa...y1khCE+CdE=3D > > > > 3.353:DEBUG VERIFY-DNSKEY: Ignoring key. > > > > 3.353:INFO VERIFY-DNSKEY: 2 DNSKEYs found. > > > > 3.353:INFO VERIFY-DNSKEY: 0 keys found after filtering. > > > > 3.353:DEBUG VERIFY-DNSKEY: Using keys: > > > > 3.353:DEBUG VERIFY-DNSKEY: To verify rrset type DNSKEY > > > > 3.353:FAILURE VERIFY-DNSKEY: No keys found after filtering. > > > > 3.353:FAILURE DNSKEY signature did not validate. > > > > 3.353:FINAL_FAILURE FAILURE > > > > > > > > > > > > --=20 > > > > gpg --keyserver pgp.mit.edu --recv-key 092164A7 > > > > http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0x092164A7 > > > > > > > > --=-z4QlW2bZGkH+0Mp+jCTf > > > > Content-Type: application/pgp-signature; name=signature.asc > > > > Content-Description: Ceci est une partie de message > > > > =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?= > > > > > > > > -----BEGIN PGP SIGNATURE----- > > > > Version: GnuPG v1.4.5 (GNU/Linux) > > > > > > > > iD8DBQBNi5S9tXI/OwkhZKcRApwbAJ0U1bwNJxcqaQio8bGVIuAQkomMqgCfVbUn > > > > uZ2ojYfEyGYxmZu/F2xOJn8= > > > > =/8X8 > > > > -----END PGP SIGNATURE----- > > > > > > > > --=-z4QlW2bZGkH+0Mp+jCTf-- > > > > > > > > > > > > --===============2440758171990924561== > > > > Content-Type: text/plain; charset="us-ascii" > > > > MIME-Version: 1.0 > > > > Content-Transfer-Encoding: 7bit > > > > Content-Disposition: inline > > > > > > > > _______________________________________________ > > > > bind-users mailing list > > > > bind-users@lists.isc.org > > > > https://lists.isc.org/mailman/listinfo/bind-users > > > > --===============2440758171990924561==-- > > > > > > _______________________________________________ > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
signature.asc
Description: Ceci est une partie de message numériquement signée
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
