date:20211024

Certbot rfc2136

2021-10-24 Thread Paul van der Vlis


Hello,

I am trying to get Certbot working using rfc2136. But during the 
validation I get these errors:

---
Oct 24 02:14:21 ns1 named[343]: client @0x7f70e43b7d08 
45.95.238.187#57242/key test3.hallo24.nl: updating zone 'hallo24.nl/IN'
: adding an RR at '_acme-challenge.test3.hallo24.nl' TXT 
"qYxXiH34V8T0lFtsUOd_BPMZCBiA-FgAiJ-0nUGHsYE"
Oct 24 02:14:21 ns1 named[343]: dns_dnssec_findzonekeys2: error reading 
Khallo24.nl.+013+02962.private: file not found
Oct 24 02:14:21 ns1 named[343]: dns_dnssec_findzonekeys2: error reading 
Khallo24.nl.+013+01290.private: file not found

---

These files are in /etc/bind/keys/, and normally that's no problem.

I've tried to specify the "key-directory" in the bind configuration, but 
when I do that I get an error during "rndc reload", so I cannot specify 
a key-directory.  This is Bind 9.16.15 from Debian 11.


What do I wrong?


Does somebody know a good howto to get this working? I use now this:
https://certbot-dns-rfc2136.readthedocs.io/en/stable/
but in my opinion it's not complete enough.

With regards,
Paul







--
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

use dig query

2021-10-24 Thread Champion Xie

 dig version 9.14.8

Using the following command can not achieve the desired effect, dnssec
information will still be output
dig 1.1.1.1.in-addr.arpa   +trace +nodnssec

Normally, the parameters should not be in sequence


-- 
Best Regards!!
champion_xie
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: use dig query

2021-10-24 Thread Mark Andrews

Works fine for me.

% bin/dig/dig 1.1.1.1.in-addr.arpa +trace 

; <<>> DiG 9.14.8 <<>> 1.1.1.1.in-addr.arpa +trace
;; global options: +cmd
.   331767  IN  NS  f.root-servers.net.
.   331767  IN  NS  j.root-servers.net.
.   331767  IN  NS  k.root-servers.net.
.   331767  IN  NS  l.root-servers.net.
.   331767  IN  NS  i.root-servers.net.
.   331767  IN  NS  e.root-servers.net.
.   331767  IN  NS  h.root-servers.net.
.   331767  IN  NS  b.root-servers.net.
.   331767  IN  NS  m.root-servers.net.
.   331767  IN  NS  g.root-servers.net.
.   331767  IN  NS  c.root-servers.net.
.   331767  IN  NS  d.root-servers.net.
.   331767  IN  NS  a.root-servers.net.
.   331767  IN  RRSIG   NS 8 0 518400 2021110417 
2021102216 14748 . FERgiY720i+bYmHhXGQ2OU7NOoSM8Mhg/OedgoJrJ3Zs17/IJwUnEOkd 
EPq98F8ar7Epc9/H0p0ZxQflKrL40q/+6S/KLoR5ecoem7Vp3JN4HMI7 
U7z9gobvmBS2f7vekrFp60AXtihCcAypaWRhyl2IZUK7u11tNbN95It+ 
D/7IZLa3mFrVgMmeNRdd4uoOWzHxBZ4OusHNlnJ/rvE2smIS9RwEUbDW 
iu9/psMZpfEBY5XOLg9ubKog/jma+T6OEINEdH0mzGtv4WoYAStd17Ax 
mKHsf1N9PW8rNW+c63Y36VQYXhF+ikhPG3i1Q/a9tJVbN31u5EUtz2yV eUklXw==
;; Received 1137 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

in-addr.arpa.   172800  IN  NS  a.in-addr-servers.arpa.
in-addr.arpa.   172800  IN  NS  b.in-addr-servers.arpa.
in-addr.arpa.   172800  IN  NS  c.in-addr-servers.arpa.
in-addr.arpa.   172800  IN  NS  d.in-addr-servers.arpa.
in-addr.arpa.   172800  IN  NS  e.in-addr-servers.arpa.
in-addr.arpa.   172800  IN  NS  f.in-addr-servers.arpa.
in-addr.arpa.   86400   IN  DS  47054 8 2 
5CAFCCEC201D1933B4C9F6A9C8F51E51F3B39979058AC21B8DF1B1F2 81CBC6F2
in-addr.arpa.   86400   IN  DS  53696 8 2 
13E5501C56B20394DA921B51412D48B7089C5EB6957A7C58553C4D4D 424F04DF
in-addr.arpa.   86400   IN  DS  63982 8 2 
AAF4FB5D213EF25AE44679032EBE3514C487D7ABD99D7F5FEC3383D0 30733C73
in-addr.arpa.   86400   IN  RRSIG   DS 8 2 86400 2021110700 
2021102423 52399 arpa. 
cW2ERU/EJzAVftlJSuGmnhXMKaLWDpaP5ZKyw69/x0r5u7wSuksZ9Din 
Y/dQi2ggf31k4nFBjLuBPU/FVCqoCc2VmF8RW4L4hIvo1OkcH5j0qMBI 
UcnSU8XmRbp7zE0wZfzUaNVX0VHKYr6Z0dMWuhSeB7V4moJ3L6pz0Zj+ 
H6zdAaepqE0GRN/DhzuscMEL755BMypHSauBhIuf/J33p1dr4LRfe/mf 
0J0SGB9Cxj555h504vXoCmwf96qwWNTyGzakwVTRVRvtMbIsg+8nJHJ4 
pcPHq3kOtrTYdY38z4BtJV0klaJIL2JYNUqFQkOeZRWsNLymz6gnfnBb Pr2oVA==
;; Received 861 bytes from 2001:500:1::53#53(h.root-servers.net) in 308 ms

1.in-addr.arpa. 86400   IN  NS  ns2.apnic.net.
1.in-addr.arpa. 86400   IN  NS  ns3.lacnic.net.
1.in-addr.arpa. 86400   IN  NS  apnic.authdns.ripe.net.
1.in-addr.arpa. 86400   IN  NS  rirns.arin.net.
1.in-addr.arpa. 86400   IN  NS  apnic1.dnsnode.net.
1.in-addr.arpa. 86400   IN  DS  23004 13 2 
3582737862817D55F8F7473BC58E620CFD4A0E1EF88F05C42C963113 3E32E894
1.in-addr.arpa. 86400   IN  RRSIG   DS 8 3 86400 20211107150454 
2021101714 51651 in-addr.arpa. 
FwkrCN7wo52nR6w5E6oyxrxOYWW+gzGK2EaWf0UgCELSKuZLqNFqnlLY 
+NWtott7UzXJmSl1OxmO74o13+mKJcgbYaTdbCQCeGgda68hxooP+LQ3 
AxEXnKYwyI803nOG9LVxIt03ln8S9r3bOje0i+AvZMjX5D+nO2fbW6K6 rVw=
;; Received 408 bytes from 2001:500:87::87#53(b.in-addr-servers.arpa) in 348 ms

1.1.1.in-addr.arpa. 86400   IN  NS  ns7.cloudflare.com.
1.1.1.in-addr.arpa. 86400   IN  NS  ns3.cloudflare.com.
99g3opuj99svu7j0634fc9ib4os7hqim.1.in-addr.arpa. 3600 IN NSEC3 1 0 5 
70A93501FFC3E41D 99PTB70MBGKHRHBLB8TLUG7DII191IOA NS
99g3opuj99svu7j0634fc9ib4os7hqim.1.in-addr.arpa. 3600 IN RRSIG NSEC3 13 4 3600 
20211105031842 20211021014842 2679 1.in-addr.arpa. 
PrGfRRQwXHSY237HPzTEAepc5ylC2v99BOEGlzfwIAN6lbYEapX2AoqL 
YzlBnk4PyfftZS+xURjjkS+kxzLWcA==
;; Received 333 bytes from 203.119.95.53#53(ns2.apnic.net) in 29 ms

1.1.1.in-addr.arpa. 3600IN  SOA alec.ns.cloudflare.com. 
dns.cloudflare.com. 2036583626 1 2400 604800 3600
;; Received 111 bytes from 162.159.4.8#53(ns7.cloudflare.com) in 17 ms

% bin/dig/dig 1.1.1.1.in-addr.arpa +trace +nodnssec

; <<>> DiG 9.14.8 <<>> 1.1.1.1.in-addr.arpa +trace +nodnssec
;; global options: +cmd
.   331756  IN  NS  k.root-servers.net.
.   331756  IN  NS  i.root-servers.net.
.   331756  IN  NS  g.root-servers.net.
.   331756  IN  NS  j.root-servers.net.
.   331756  IN  NS  b.root-servers.net.
.   331756  IN  NS  c.root-se

Re: Certbot rfc2136

2021-10-24 Thread Mark Andrews



> On 25 Oct 2021, at 06:39, Paul van der Vlis  wrote:
> 
> Hello,
> 
> I am trying to get Certbot working using rfc2136. But during the validation I 
> get these errors:
> ---
> Oct 24 02:14:21 ns1 named[343]: client @0x7f70e43b7d08 
> 45.95.238.187#57242/key test3.hallo24.nl: updating zone 'hallo24.nl/IN'
> : adding an RR at '_acme-challenge.test3.hallo24.nl' TXT 
> "qYxXiH34V8T0lFtsUOd_BPMZCBiA-FgAiJ-0nUGHsYE"
> Oct 24 02:14:21 ns1 named[343]: dns_dnssec_findzonekeys2: error reading 
> Khallo24.nl.+013+02962.private: file not found
> Oct 24 02:14:21 ns1 named[343]: dns_dnssec_findzonekeys2: error reading 
> Khallo24.nl.+013+01290.private: file not found
> ---
> 
> These files are in /etc/bind/keys/, and normally that's no problem.
> 
> I've tried to specify the "key-directory" in the bind configuration, but when 
> I do that I get an error during "rndc reload", so I cannot specify a 
> key-directory.  This is Bind 9.16.15 from Debian 11.
> 
> What do I wrong?

Failed to post the actual error messages reported.  Named would have logged 
error messages.

Failed to post what you actually did.  “I tried to specify the "key-directory" 
in the bind configuration” is not what you actually did.  Post the parts of 
named.conf.

Failed to run named-checkconf before you ran 'rndc reload’ to check that you 
didn’t have an error.

How do you start named?  Do you run chrooted?

At the moment you are saying “I did something. It didn’t work. Tell me what I 
did wrong.”  Without crystal balls no one here has a chance of telling you.

> Does somebody know a good howto to get this working? I use now this:
> https://certbot-dns-rfc2136.readthedocs.io/en/stable/
> but in my opinion it's not complete enough.
> 
> With regards,
> Paul
> 
> 
> 
> 
> 
> 
> 
> -- 
> Paul van der Vlis Linux systeembeheer Groningen
> https://www.vandervlis.nl/
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Certbot rfc2136

use dig query

Re: use dig query

Re: Certbot rfc2136

4 matches

Site Navigation

Mail list logo

Footer information