Hi Mark, Thank you for responding. What do you mean by zone apex?
If we assume one of the domains that fails to be seen as signed is " example.co.uk" then would the apex be the domain name with no prefixes ? I've changed the domain name but this is part of what I have in my signed zone file for one of the zones that fails to be recognised as signed ( after the signing process). example.co.uk. IN RRSIG *NSEC*3PARAM 7 3 0 20170429213251 20170330213251 39233 example.co.uk. T1VK1lrlk+4++3Nr7WlS3CeJISCPofUuo799 S8wKrLG5UngbzRty1DQ2q6uPkiIVoqtuZJdd IklQIZxrCXt1NGSq8yQ4sNodVHMH90dvYQtY UkViTVIqX15bcY/rLIwOXjrkfz6BB9oavzPZ cuycGR0zd76sgslFJNAZt8hv7XhXxnP94Ke7 VkxCsdpIT98WMrk6eBEtL76VTm855O2X/lw2 yQdLerE578rZSmOc4K6NKxqeAwVN9ktB9DnK ugTJmZVIeF/IPcJzeOpNUHA8QkS/dbNqZ5Po 6CIpTzHospp6xHyBJ8V8GK5PSNLtiPaIHIkE 0C1LgiBLv7e4Hiejq2ZOrIiJAtMILiT95YcT n5LJaQkSsbNlS96nSmyE49iUMM4lWwOji3HG +oLdGdRSwO+1ySyN4XyY2yIfAF+8oKsjHLyJ zeMhRqHI3kE0+zbtsw7sjQveNzpCxW7reIa+ XlDjX1SkYXucG/f7BPxYSBCf4Qf0wZgGFC9h oSPZFNsIpDYJnG3kiwPdXr5dDwKJyhX2iBQT jb9omapnn6YBSN0xNnFwBZ5UqBNAkuOH4jQA CXSQW390CoKPt/gCQfdMkEEFd7dgsLeBQI36 ABsH1DQtxFqCjCdGK5gFmeKNGvzJPnNlT+++ Xy8VoMXX7xlM4qkSDwRjee8hT3s9ObLxWKI= and example.co.uk. IN DNSKEY 257 3 7 AwEAAbZFkjq1Q+7Z67VNF3DkvwZTFFK+sgM+2H+xFqkpyeHQoLmsSAWj BoulxcEIVenvY/X8fFvHk4yemA0z9DWpVEL9//zGtIVInJqRzzVlx7QQ RWDuYqya+U6YpzYkYX0DspOyzFFswtMclF0ktmFB7XOSEmy70OfJL4Oy p4GI5wT8M26bQmDQ6w+UcHUO7M8ciF6qJ5JP68O34BlmUq7gGm1DlqVK o1puldx22djX8GqvqhJjPaV5OHOXn4C5axR0IXiz9C39t1mjAkfxlHJW kshl+ENmdyyI6hw1vOqLHRmGlDQnL2wdvwerYGfLUAAEYx7+n9v+Ubec J83SBt90g5OGyT0JH2BTe5IaQeU8+OwQ97P0dRc3yIbGI9e0RSQuE1Zy 0YUHsIiHpTXrr16vBV97FPLzKGxV0i7AM15JoSCauUyr0DNA391pxVDd HOeyqpxxV69jNWKcdPV7KJFBSEGI3Uthp8uzNRepdJolg0qxNZy8n5tx 4sWIGAF2pqLFPZDLPa6yrFazq85JwhYmeqtiR1YXdsxHnR+My714mApl TiUD4EPP2ylbXeKvsOEWU0NwoAXf92uaSj9C8hH/JIboPDSk1/Y6uv5l YufyA6f3UFbZPAeqlp2OifE9t0nCqfi43Od70qyvPULqo7S7gtpq6nWA fqSDCTGxBwOVthD9 example.co.uk. IN DNSKEY 256 3 7 AwEAAcqXsmOpeTwLI6ikMgz8JZWddUaKjcX+BpCtbkB9pmngl2JugzoQ iW+NGcYgLjKkpPHxsHDPBBbfrFTy0l+htYyi6tudAjlNOju+tvMDB4VC 86aC100XcSF/h1eSqPxPZz4CjdeBI8x/ahbh7bKHILnokb2mK9CLpZ2w j4UbCkXu8Of3WWamU3uAEnQ6Lm1xZ8HHxf86S5ev0e+bSm+JTkJVdk12 8iIBu6t9lWpYeSemtxHfLhK0Pm1evnHFpr17Sk9/yt5gUZkTd0d9nazT GsUNjbgdyr943K05wAs5EEgqEIp5eI9zcJ1QeeXBG+co5grBa6Leq3Pm zcqxwtzuB2VDRKr9P34tT5n5OY2jg+B98ERd3TiLJTF+wd5Pa5n+lVXt nkAODvfYv+xlEgUqfnIxEfNc7aQKXwWaLBW1Hx25aobsXJ+vrdhE+sqd Jbzjr8p+EG8ZS8gJ9c4B+snMOYwns7hVAATX/3K3XwJUcdGQoynm20iV acDErzZRzHqW+XNtU5EnBjpdzK+Lz0wH63yXRIOd09ap6XACkRH1ApNo syOFdEVwEgTJEPvavu6FH6YR6iHmVR+YqblSBOCP5jfdIVmHm+MfihJs 3whGNAo9XPFEYg+M6vJ8e04zMD17mWL4w/lilhLy1CbuzU2Bw1yniFRI P9mvO7K0z/mrPxWn I compared it with the one of the zones that is recognised as signed and I see the following there: workingexample.email. 38400 *IN NSEC* _dmarc.workingexample.email. A NS SOA MX TXT AAAA SSHFP RRSIG NSEC DNSKEY SPF workingexample.email. *IN DNSKEY* 257 3 8 AwEAAeLetJzQo74Zi/qXJjF4JoF37qu0rXTWQzn7yUC058w76SrPVV4a hZIPI9oBNcWn5yeP6qR/bIkBM1OKfP0qGgLRyLAZPdsB36q1BnEfLrbi trZmlGY8+AnUxjpPbEscT/g47UJiN9exBs0wAPdwwTRypYwBOVzP7cRP TiPf0QlMslMrgd9lpFhFQblj97sZiVTZCyJM2FhKo3bdwDpde6fkJV0I Ilrj3X47hJMFwW3UbA+H8UE/8jWrhrmSPi5b/uxbMY9qkOeaFm/LexC6 tr89pCesYrnIqceQTsvJl7+HOB1WNzW4vkC0idzo1kq65Woo8FOvzM7x HukCPrlyWvc= workingexample.email. *IN DNSKEY* 256 3 8 AwEAAbCKGjHIFvhlPpVeReXSDymlwlyeHwejRF0vBp7GTdFv2qCRI1Wc 9GDhVuUWmBv9gxynqQgf4K460RMia1ElZjOFQUZwB4i/OgvfAedEdjov r+G7fHt45FShmR5WLuPOP1EGvJAki18rJgZL99PY4bAqq+s7Ut/SCmAs gKsy1WkL0cfEyl4qWPDv5YRbM4NBCZUZfO7nzmjuvIY+rlGEC00= So, it would appear that no 'IN NSEC' or 'IN NSEC3PARAM' is being added when the 'example.co.uk' is signed. As far as I can tell no error was reported during the signing process for example.co.uk - do you have any suggestions as to what might stop the signing tool from adding the 'IN NSEC' or 'IN NSEC3PARAM' records ? Jay On 30 March 2017 at 23:02, Mark Andrews <ma...@isc.org> wrote: > > In message <CAB=ej3rXb-+UkwyT8RoURszF70Gi76ksj7Uk6uuvq > f5pug3...@mail.gmail.com>, J T writ > es: > > Hi, > > > > I have 5 signed zones ( 2 x .email, 2 x .com and 1 x .co.uk ). > > > > I used Webmin to do the heavy lifting of signing/resigning etc. > > > > Only 2 of the 5 zones are recognised as (DNSSEC Signed) by BIND on > > restart/zone application and that fact is reported in the system logs. > > > > I’m trying to work out why 3 are failing to be recognised as Signed. > > > > No errors are reported as part of the signing process. The zonefiles > > appear to have loads of DNSSEC related resource records. > > > > e.g. > > > > - RRSIG (digital signature) > > - DNSKEY (public key) > > - DS (parent-child) > > - NSEC (proof of nonexistence) > > - NSEC3 (proof of nonexistence) > > - NSEC3PARAM (proof of nonexistence) > > > > and the parent registrar has had DS records added. > > > > As bind is not flagging the zone as signed its not returning RRSIGs in > the > > Answer section of a query ( although they are provided in the Additional > > section ). > > > > I’m not really sure what the criteria is for bind to decide a zone is > > signed. > > For a zone to be treated as secure (signed) there needs to be a > NSEC record at the zone apex or a NSEC3PARAM record at the zone > apex. There also needs to be a DNSKEY RRset containing a zone key. > > While named is in the process of signing a zone initially these > conditions are not met. The last stage of initial signing is to > add the NSEC record to the apex or to add the NSEC3PARAM record. > > The first stage of going insecure is to remove the NSEC/NSEC3PARAM > record at the zone apex. > > > The same process is being used to sign/resign the 5 zones but only 2 are > > flagged as signed. > > > > Any tips on how to debug this would be appreciated. > > > > Thanks, > > > > Jay > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
