Re: disable dnssec for particular domain

Wed, 07 Feb 2018 03:15:36 -0800 


Am 07.02.2018 um 12:12 schrieb Reindl Harald:



Am 07.02.2018 um 12:07 schrieb Matus UHLAR - fantomas:

On 06/02/2018 16:31, Matus UHLAR - fantomas wrote:

what's the difference, when the domain doesn't exist?

is it because .eu is signed?


On 06.02.18 16:35, Ray Bellis wrote:

Perhaps, although I'm not sure why given that .eu is signed with NSEC3
and opt-out.

Are you *sure* that the domain doesn't now actually exist in the DNS?


yes. even web whois shows no 'nameserver' information.

the name is "testa.eu".
I'm not good at dnssec to find out more



probably it's just a stupid idea to have no namservers instead some 
fake-nameserver without DS records when you override the domain locally 
anyways



my "rhsoft.net" domain on local networks also has nothing in common with 
the public nameservers


https://dnssec-debugger.verisignlabs.com/testa.eu

     Found 3 DNSKEY records for .
     DS=20326/SHA-256 verifies DNSKEY=20326/SEP
     DS=19036/SHA-256 verifies DNSKEY=19036/SEP
     Found 1 RRSIGs over DNSKEY RRset
     RRSIG=19036 and DNSKEY=19036/SEP verifies the DNSKEY RRset
eu
     Found 1 DS records for eu in the . zone
     DS=59479/SHA-256 has algorithm RSASHA256
     Found 1 RRSIGs over DS RRset
     RRSIG=41824 and DNSKEY=41824 verifies the DS RRset
     Found 2 DNSKEY records for eu
     DS=59479/SHA-256 verifies DNSKEY=59479/SEP
     Found 2 RRSIGs over DNSKEY RRset
     RRSIG=43743 and DNSKEY=43743 verifies the DNSKEY RRset
     Zone eu (2600:2000:3004::1) returns NXDOMAIN for testa.eu



and that proves that your setup with no nameservers is stupid because 
otherwise you would get "domain not signed" and you are done


https://dnssec-debugger.verisignlabs.com/rhsoft.net

        Found 3 DNSKEY records for .
        DS=20326/SHA-256 verifies DNSKEY=20326/SEP
        DS=19036/SHA-256 verifies DNSKEY=19036/SEP
        Found 1 RRSIGs over DNSKEY RRset
        RRSIG=19036 and DNSKEY=19036/SEP verifies the DNSKEY RRset
net     
        Found 1 DS records for net in the . zone
        DS=35886/SHA-256 has algorithm RSASHA256
        Found 1 RRSIGs over DS RRset
        RRSIG=41824 and DNSKEY=41824 verifies the DS RRset
        Found 2 DNSKEY records for net
        DS=35886/SHA-256 verifies DNSKEY=35886/SEP
        Found 1 RRSIGs over DNSKEY RRset
        RRSIG=35886 and DNSKEY=35886/SEP verifies the DNSKEY RRset
rhsoft.net      
        No DS records found for rhsoft.net in the net zone
        No DNSKEY records found
        rhsoft.net A RR has value 91.118.73.11
        No RRSIGs found
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to