Zones not being recognised as Signed
Hi, I have 5 signed zones ( 2 x .email, 2 x .com and 1 x .co.uk ). I used Webmin to do the heavy lifting of signing/resigning etc. Only 2 of the 5 zones are recognised as (DNSSEC Signed) by BIND on restart/zone application and that fact is reported in the system logs. I’m trying to work out why 3 are failing to be recognised as Signed. No errors are reported as part of the signing process. The zonefiles appear to have loads of DNSSEC related resource records. e.g. - RRSIG (digital signature) - DNSKEY (public key) - DS (parent-child) - NSEC (proof of nonexistence) - NSEC3 (proof of nonexistence) - NSEC3PARAM (proof of nonexistence) and the parent registrar has had DS records added. As bind is not flagging the zone as signed its not returning RRSIGs in the Answer section of a query ( although they are provided in the Additional section ). I’m not really sure what the criteria is for bind to decide a zone is signed. The same process is being used to sign/resign the 5 zones but only 2 are flagged as signed. Any tips on how to debug this would be appreciated. Thanks, Jay ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Zones not being recognised as Signed
Hi Mark, Thank you for responding. What do you mean by zone apex? If we assume one of the domains that fails to be seen as signed is " example.co.uk" then would the apex be the domain name with no prefixes ? I've changed the domain name but this is part of what I have in my signed zone file for one of the zones that fails to be recognised as signed ( after the signing process). example.co.uk. IN RRSIG *NSEC*3PARAM 7 3 0 20170429213251 20170330213251 39233 example.co.uk. T1VK1lrlk+4++3Nr7WlS3CeJISCPofUuo799 S8wKrLG5UngbzRty1DQ2q6uPkiIVoqtuZJdd IklQIZxrCXt1NGSq8yQ4sNodVHMH90dvYQtY UkViTVIqX15bcY/rLIwOXjrkfz6BB9oavzPZ cuycGR0zd76sgslFJNAZt8hv7XhXxnP94Ke7 VkxCsdpIT98WMrk6eBEtL76VTm855O2X/lw2 yQdLerE578rZSmOc4K6NKxqeAwVN9ktB9DnK ugTJmZVIeF/IPcJzeOpNUHA8QkS/dbNqZ5Po 6CIpTzHospp6xHyBJ8V8GK5PSNLtiPaIHIkE 0C1LgiBLv7e4Hiejq2ZOrIiJAtMILiT95YcT n5LJaQkSsbNlS96nSmyE49iUMM4lWwOji3HG +oLdGdRSwO+1ySyN4XyY2yIfAF+8oKsjHLyJ zeMhRqHI3kE0+zbtsw7sjQveNzpCxW7reIa+ XlDjX1SkYXucG/f7BPxYSBCf4Qf0wZgGFC9h oSPZFNsIpDYJnG3kiwPdXr5dDwKJyhX2iBQT jb9omapnn6YBSN0xNnFwBZ5UqBNAkuOH4jQA CXSQW390CoKPt/gCQfdMkEEFd7dgsLeBQI36 ABsH1DQtxFqCjCdGK5gFmeKNGvzJPnNlT+++ Xy8VoMXX7xlM4qkSDwRjee8hT3s9ObLxWKI= and example.co.uk. IN DNSKEY 257 3 7 AwEAAbZFkjq1Q+7Z67VNF3DkvwZTFFK+sgM+2H+xFqkpyeHQoLmsSAWj BoulxcEIVenvY/X8fFvHk4yemA0z9DWpVEL9//zGtIVInJqRzzVlx7QQ RWDuYqya+U6YpzYkYX0DspOyzFFswtMclF0ktmFB7XOSEmy70OfJL4Oy p4GI5wT8M26bQmDQ6w+UcHUO7M8ciF6qJ5JP68O34BlmUq7gGm1DlqVK o1puldx22djX8GqvqhJjPaV5OHOXn4C5axR0IXiz9C39t1mjAkfxlHJW kshl+ENmdyyI6hw1vOqLHRmGlDQnL2wdvwerYGfLUAAEYx7+n9v+Ubec J83SBt90g5OGyT0JH2BTe5IaQeU8+OwQ97P0dRc3yIbGI9e0RSQuE1Zy 0YUHsIiHpTXrr16vBV97FPLzKGxV0i7AM15JoSCauUyr0DNA391pxVDd HOeyqpxxV69jNWKcdPV7KJFBSEGI3Uthp8uzNRepdJolg0qxNZy8n5tx 4sWIGAF2pqLFPZDLPa6yrFazq85JwhYmeqtiR1YXdsxHnR+My714mApl TiUD4EPP2ylbXeKvsOEWU0NwoAXf92uaSj9C8hH/JIboPDSk1/Y6uv5l YufyA6f3UFbZPAeqlp2OifE9t0nCqfi43Od70qyvPULqo7S7gtpq6nWA fqSDCTGxBwOVthD9 example.co.uk. IN DNSKEY 256 3 7 AwEAAcqXsmOpeTwLI6ikMgz8JZWddUaKjcX+BpCtbkB9pmngl2JugzoQ iW+NGcYgLjKkpPHxsHDPBBbfrFTy0l+htYyi6tudAjlNOju+tvMDB4VC 86aC100XcSF/h1eSqPxPZz4CjdeBI8x/ahbh7bKHILnokb2mK9CLpZ2w j4UbCkXu8Of3WWamU3uAEnQ6Lm1xZ8HHxf86S5ev0e+bSm+JTkJVdk12 8iIBu6t9lWpYeSemtxHfLhK0Pm1evnHFpr17Sk9/yt5gUZkTd0d9nazT GsUNjbgdyr943K05wAs5EEgqEIp5eI9zcJ1QeeXBG+co5grBa6Leq3Pm zcqxwtzuB2VDRKr9P34tT5n5OY2jg+B98ERd3TiLJTF+wd5Pa5n+lVXt nkAODvfYv+xlEgUqfnIxEfNc7aQKXwWaLBW1Hx25aobsXJ+vrdhE+sqd Jbzjr8p+EG8ZS8gJ9c4B+snMOYwns7hVAATX/3K3XwJUcdGQoynm20iV acDErzZRzHqW+XNtU5EnBjpdzK+Lz0wH63yXRIOd09ap6XACkRH1ApNo syOFdEVwEgTJEPvavu6FH6YR6iHmVR+YqblSBOCP5jfdIVmHm+MfihJs 3whGNAo9XPFEYg+M6vJ8e04zMD17mWL4w/lilhLy1CbuzU2Bw1yniFRI P9mvO7K0z/mrPxWn I compared it with the one of the zones that is recognised as signed and I see the following there: workingexample.email. 38400 *IN NSEC* _dmarc.workingexample.email. A NS SOA MX TXT SSHFP RRSIG NSEC DNSKEY SPF workingexample.email. *IN DNSKEY* 257 3 8 AwEAAeLetJzQo74Zi/qXJjF4JoF37qu0rXTWQzn7yUC058w76SrPVV4a hZIPI9oBNcWn5yeP6qR/bIkBM1OKfP0qGgLRyLAZPdsB36q1BnEfLrbi trZmlGY8+AnUxjpPbEscT/g47UJiN9exBs0wAPdwwTRypYwBOVzP7cRP TiPf0QlMslMrgd9lpFhFQblj97sZiVTZCyJM2FhKo3bdwDpde6fkJV0I Ilrj3X47hJMFwW3UbA+H8UE/8jWrhrmSPi5b/uxbMY9qkOeaFm/LexC6 tr89pCesYrnIqceQTsvJl7+HOB1WNzW4vkC0idzo1kq65Woo8FOvzM7x HukCPrlyWvc= workingexample.email. *IN DNSKEY* 256 3 8 AwEAAbCKGjHIFvhlPpVeReXSDymlwlyeHwejRF0vBp7GTdFv2qCRI1Wc 9GDhVuUWmBv9gxynqQgf4K460RMia1ElZjOFQUZwB4i/OgvfAedEdjov r+G7fHt45FShmR5WLuPOP1EGvJAki18rJgZL99PY4bAqq+s7Ut/SCmAs gKsy1WkL0cfEyl4qWPDv5YRbM4NBCZUZfO7nzmjuvIY+rlGEC00= So, it would appear that no 'IN NSEC' or 'IN NSEC3PARAM' is being added when the 'example.co.uk' is signed. As far as I can tell no error was reported during the signing process for example.co.uk - do you have any suggestions as to what might stop the signing tool from adding the 'IN NSEC' or 'IN NSEC3PARAM' records ? Jay On 30 March 2017 at 23:02, Mark Andrews wrote: > > In message f5pug3...@mail.gmail.com>, J T writ > es: > > Hi, > > > > I have 5 signed zones ( 2 x .email, 2 x .com and 1 x .co.uk ). > > > > I used Webmin to do the heavy lifting of signing/resigning etc. > > > > Only 2 of the 5 zones are recognised as (DNSSEC Signed) by BIND on > > restart/zone application and that fact is reported in the system logs. > > > > I’m trying to work out why 3 are failing to be recognised as Signed. > > > > No errors are reported as part of the signing process. The zonefiles > > appear to have loads of DNSSEC related resource records. > > > > e.g. > > > >- RRSIG (digital signature) > >- DNSKEY (public key) > >- DS (parent-child) > >- NSEC (proof of nonexistence) > >- NSEC3 (proof of nonexistence) > >- NSEC3PARAM (proof of nonexistence) > > > > and the parent registrar has
Re: Zones not being recognised as Signed
Please ignore the * in the copy pasted records. It seems the list converts color text to be *TEXT* hehe On 31 March 2017 at 00:11, J T wrote: > Hi Mark, > > Thank you for responding. What do you mean by zone apex? > > If we assume one of the domains that fails to be seen as signed is " > example.co.uk" then would the apex be the domain name with no prefixes ? > > I've changed the domain name but this is part of what I have in my signed > zone file for one of the zones that fails to be recognised as signed ( > after the signing process). > > example.co.uk. IN RRSIG *NSEC*3PARAM 7 3 0 20170429213251 20170330213251 > 39233 example.co.uk. T1VK1lrlk+4++3Nr7WlS3CeJISCPofUuo799 > S8wKrLG5UngbzRty1DQ2q6uPkiIVoqtuZJdd IklQIZxrCXt1NGSq8yQ4sNodVHMH90dvYQtY > UkViTVIqX15bcY/rLIwOXjrkfz6BB9oavzPZ cuycGR0zd76sgslFJNAZt8hv7XhXxnP94Ke7 > VkxCsdpIT98WMrk6eBEtL76VTm855O2X/lw2 yQdLerE578rZSmOc4K6NKxqeAwVN9ktB9DnK > ugTJmZVIeF/IPcJzeOpNUHA8QkS/dbNqZ5Po 6CIpTzHospp6xHyBJ8V8GK5PSNLtiPaIHIkE > 0C1LgiBLv7e4Hiejq2ZOrIiJAtMILiT95YcT n5LJaQkSsbNlS96nSmyE49iUMM4lWwOji3HG > +oLdGdRSwO+1ySyN4XyY2yIfAF+8oKsjHLyJ zeMhRqHI3kE0+zbtsw7sjQveNzpCxW7reIa+ > XlDjX1SkYXucG/f7BPxYSBCf4Qf0wZgGFC9h oSPZFNsIpDYJnG3kiwPdXr5dDwKJyhX2iBQT > jb9omapnn6YBSN0xNnFwBZ5UqBNAkuOH4jQA CXSQW390CoKPt/gCQfdMkEEFd7dgsLeBQI36 > ABsH1DQtxFqCjCdGK5gFmeKNGvzJPnNlT+++ Xy8VoMXX7xlM4qkSDwRjee8hT3s9ObLxWKI= > > and > > example.co.uk. IN DNSKEY 257 3 7 AwEAAbZFkjq1Q+ > 7Z67VNF3DkvwZTFFK+sgM+2H+xFqkpyeHQoLmsSAWj BoulxcEIVenvY/ > X8fFvHk4yemA0z9DWpVEL9//zGtIVInJqRzzVlx7QQ RWDuYqya+ > U6YpzYkYX0DspOyzFFswtMclF0ktmFB7XOSEmy70OfJL4Oy p4GI5wT8M26bQmDQ6w+ > UcHUO7M8ciF6qJ5JP68O34BlmUq7gGm1DlqVK > o1puldx22djX8GqvqhJjPaV5OHOXn4C5axR0IXiz9C39t1mjAkfxlHJW > kshl+ENmdyyI6hw1vOqLHRmGlDQnL2wdvwerYGfLUAAEYx7+n9v+Ubec > J83SBt90g5OGyT0JH2BTe5IaQeU8+OwQ97P0dRc3yIbGI9e0RSQuE1Zy > 0YUHsIiHpTXrr16vBV97FPLzKGxV0i7AM15JoSCauUyr0DNA391pxVDd > HOeyqpxxV69jNWKcdPV7KJFBSEGI3Uthp8uzNRepdJolg0qxNZy8n5tx > 4sWIGAF2pqLFPZDLPa6yrFazq85JwhYmeqtiR1YXdsxHnR+My714mApl > TiUD4EPP2ylbXeKvsOEWU0NwoAXf92uaSj9C8hH/JIboPDSk1/Y6uv5l > YufyA6f3UFbZPAeqlp2OifE9t0nCqfi43Od70qyvPULqo7S7gtpq6nWA fqSDCTGxBwOVthD9 > > example.co.uk. IN DNSKEY 256 3 7 > AwEAAcqXsmOpeTwLI6ikMgz8JZWddUaKjcX+BpCtbkB9pmngl2JugzoQ > iW+NGcYgLjKkpPHxsHDPBBbfrFTy0l+htYyi6tudAjlNOju+tvMDB4VC 86aC100XcSF/ > h1eSqPxPZz4CjdeBI8x/ahbh7bKHILnokb2mK9CLpZ2w > j4UbCkXu8Of3WWamU3uAEnQ6Lm1xZ8HHxf86S5ev0e+bSm+JTkJVdk12 > 8iIBu6t9lWpYeSemtxHfLhK0Pm1evnHFpr17Sk9/yt5gUZkTd0d9nazT > GsUNjbgdyr943K05wAs5EEgqEIp5eI9zcJ1QeeXBG+co5grBa6Leq3Pm > zcqxwtzuB2VDRKr9P34tT5n5OY2jg+B98ERd3TiLJTF+wd5Pa5n+lVXt nkAODvfYv+ > xlEgUqfnIxEfNc7aQKXwWaLBW1Hx25aobsXJ+vrdhE+sqd Jbzjr8p+EG8ZS8gJ9c4B+ > snMOYwns7hVAATX/3K3XwJUcdGQoynm20iV > acDErzZRzHqW+XNtU5EnBjpdzK+Lz0wH63yXRIOd09ap6XACkRH1ApNo > syOFdEVwEgTJEPvavu6FH6YR6iHmVR+YqblSBOCP5jfdIVmHm+MfihJs 3whGNAo9XPFEYg+ > M6vJ8e04zMD17mWL4w/lilhLy1CbuzU2Bw1yniFRI P9mvO7K0z/mrPxWn > > I compared it with the one of the zones that is recognised as signed and I > see the following there: > > workingexample.email. 38400 *IN NSEC* _dmarc.workingexample.email. A NS > SOA MX TXT SSHFP RRSIG NSEC DNSKEY SPF > > workingexample.email. *IN DNSKEY* 257 3 8 AwEAAeLetJzQo74Zi/ > qXJjF4JoF37qu0rXTWQzn7yUC058w76SrPVV4a hZIPI9oBNcWn5yeP6qR/ > bIkBM1OKfP0qGgLRyLAZPdsB36q1BnEfLrbi trZmlGY8+AnUxjpPbEscT/ > g47UJiN9exBs0wAPdwwTRypYwBOVzP7cRP > TiPf0QlMslMrgd9lpFhFQblj97sZiVTZCyJM2FhKo3bdwDpde6fkJV0I > Ilrj3X47hJMFwW3UbA+H8UE/8jWrhrmSPi5b/uxbMY9qkOeaFm/LexC6 > tr89pCesYrnIqceQTsvJl7+HOB1WNzW4vkC0idzo1kq65Woo8FOvzM7x HukCPrlyWvc= > > workingexample.email. *IN DNSKEY* 256 3 8 > AwEAAbCKGjHIFvhlPpVeReXSDymlwlyeHwejRF0vBp7GTdFv2qCRI1Wc > 9GDhVuUWmBv9gxynqQgf4K460RMia1ElZjOFQUZwB4i/OgvfAedEdjov r+ > G7fHt45FShmR5WLuPOP1EGvJAki18rJgZL99PY4bAqq+s7Ut/SCmAs > gKsy1WkL0cfEyl4qWPDv5YRbM4NBCZUZfO7nzmjuvIY+rlGEC00= > > So, it would appear that no 'IN NSEC' or 'IN NSEC3PARAM' is being added > when the 'example.co.uk' is signed. > > As far as I can tell no error was reported during the signing process for > example.co.uk - do you have any suggestions as to what might stop the > signing tool from adding the 'IN NSEC' or 'IN NSEC3PARAM' records ? > > Jay > > On 30 March 2017 at 23:02, Mark Andrews wrote: > >> >> In message > gmail.com>, J T writ >> es: >> > Hi, >> > >> > I have 5 signed zones ( 2 x .email, 2 x .com and 1 x .co.uk ). >> > >> > I used Webmin to do the heavy lifting of signing/resigning etc. >> > >> > Only 2 of the 5 zones are recognised as (DNSSEC Signed) by BIND on >> > restart/zone application and that fact is repo
Re: Zones not being recognised as Signed
Hi Mark, I think I found the problem. Seems Webmins code for handling the signing was't dealing with NSEC3PARAM records properly. Essentially when merging the signed records back in to the original host file it was only putting NSEC, NSEC3 and RRSIG. It wasnt handling NSEC3PARAM at all. The zones that were "working" were using a different algorithm and so it didn't mismanage those. Sorry for troubling you. However your information did help me locate the problem. Thanks Jay On 31 March 2017 at 00:17, J T wrote: > Please ignore the * in the copy pasted records. It seems the list converts > color text to be *TEXT* hehe > > On 31 March 2017 at 00:11, J T wrote: > >> Hi Mark, >> >> Thank you for responding. What do you mean by zone apex? >> >> If we assume one of the domains that fails to be seen as signed is " >> example.co.uk" then would the apex be the domain name with no prefixes ? >> >> I've changed the domain name but this is part of what I have in my signed >> zone file for one of the zones that fails to be recognised as signed ( >> after the signing process). >> >> example.co.uk. IN RRSIG *NSEC*3PARAM 7 3 0 20170429213251 20170330213251 >> 39233 example.co.uk. T1VK1lrlk+4++3Nr7WlS3CeJISCPofUuo799 >> S8wKrLG5UngbzRty1DQ2q6uPkiIVoqtuZJdd IklQIZxrCXt1NGSq8yQ4sNodVHMH90dvYQtY >> UkViTVIqX15bcY/rLIwOXjrkfz6BB9oavzPZ cuycGR0zd76sgslFJNAZt8hv7XhXxnP94Ke7 >> VkxCsdpIT98WMrk6eBEtL76VTm855O2X/lw2 yQdLerE578rZSmOc4K6NKxqeAwVN9ktB9DnK >> ugTJmZVIeF/IPcJzeOpNUHA8QkS/dbNqZ5Po 6CIpTzHospp6xHyBJ8V8GK5PSNLtiPaIHIkE >> 0C1LgiBLv7e4Hiejq2ZOrIiJAtMILiT95YcT n5LJaQkSsbNlS96nSmyE49iUMM4lWwOji3HG >> +oLdGdRSwO+1ySyN4XyY2yIfAF+8oKsjHLyJ zeMhRqHI3kE0+zbtsw7sjQveNzpCxW7reIa+ >> XlDjX1SkYXucG/f7BPxYSBCf4Qf0wZgGFC9h oSPZFNsIpDYJnG3kiwPdXr5dDwKJyhX2iBQT >> jb9omapnn6YBSN0xNnFwBZ5UqBNAkuOH4jQA CXSQW390CoKPt/gCQfdMkEEFd7dgsLeBQI36 >> ABsH1DQtxFqCjCdGK5gFmeKNGvzJPnNlT+++ Xy8VoMXX7xlM4qkSDwRjee8hT3s9ObLxWKI= >> >> and >> >> example.co.uk. IN DNSKEY 257 3 7 >> AwEAAbZFkjq1Q+7Z67VNF3DkvwZTFFK+sgM+2H+xFqkpyeHQoLmsSAWj >> BoulxcEIVenvY/X8fFvHk4yemA0z9DWpVEL9//zGtIVInJqRzzVlx7QQ >> RWDuYqya+U6YpzYkYX0DspOyzFFswtMclF0ktmFB7XOSEmy70OfJL4Oy >> p4GI5wT8M26bQmDQ6w+UcHUO7M8ciF6qJ5JP68O34BlmUq7gGm1DlqVK >> o1puldx22djX8GqvqhJjPaV5OHOXn4C5axR0IXiz9C39t1mjAkfxlHJW >> kshl+ENmdyyI6hw1vOqLHRmGlDQnL2wdvwerYGfLUAAEYx7+n9v+Ubec >> J83SBt90g5OGyT0JH2BTe5IaQeU8+OwQ97P0dRc3yIbGI9e0RSQuE1Zy >> 0YUHsIiHpTXrr16vBV97FPLzKGxV0i7AM15JoSCauUyr0DNA391pxVDd >> HOeyqpxxV69jNWKcdPV7KJFBSEGI3Uthp8uzNRepdJolg0qxNZy8n5tx >> 4sWIGAF2pqLFPZDLPa6yrFazq85JwhYmeqtiR1YXdsxHnR+My714mApl >> TiUD4EPP2ylbXeKvsOEWU0NwoAXf92uaSj9C8hH/JIboPDSk1/Y6uv5l >> YufyA6f3UFbZPAeqlp2OifE9t0nCqfi43Od70qyvPULqo7S7gtpq6nWA fqSDCTGxBwOVthD9 >> >> example.co.uk. IN DNSKEY 256 3 7 >> AwEAAcqXsmOpeTwLI6ikMgz8JZWddUaKjcX+BpCtbkB9pmngl2JugzoQ >> iW+NGcYgLjKkpPHxsHDPBBbfrFTy0l+htYyi6tudAjlNOju+tvMDB4VC >> 86aC100XcSF/h1eSqPxPZz4CjdeBI8x/ahbh7bKHILnokb2mK9CLpZ2w >> j4UbCkXu8Of3WWamU3uAEnQ6Lm1xZ8HHxf86S5ev0e+bSm+JTkJVdk12 >> 8iIBu6t9lWpYeSemtxHfLhK0Pm1evnHFpr17Sk9/yt5gUZkTd0d9nazT >> GsUNjbgdyr943K05wAs5EEgqEIp5eI9zcJ1QeeXBG+co5grBa6Leq3Pm >> zcqxwtzuB2VDRKr9P34tT5n5OY2jg+B98ERd3TiLJTF+wd5Pa5n+lVXt >> nkAODvfYv+xlEgUqfnIxEfNc7aQKXwWaLBW1Hx25aobsXJ+vrdhE+sqd >> Jbzjr8p+EG8ZS8gJ9c4B+snMOYwns7hVAATX/3K3XwJUcdGQoynm20iV >> acDErzZRzHqW+XNtU5EnBjpdzK+Lz0wH63yXRIOd09ap6XACkRH1ApNo >> syOFdEVwEgTJEPvavu6FH6YR6iHmVR+YqblSBOCP5jfdIVmHm+MfihJs >> 3whGNAo9XPFEYg+M6vJ8e04zMD17mWL4w/lilhLy1CbuzU2Bw1yniFRI P9mvO7K0z/mrPxWn >> >> I compared it with the one of the zones that is recognised as signed and >> I see the following there: >> >> workingexample.email. 38400 *IN NSEC* _dmarc.workingexample.email. A NS >> SOA MX TXT SSHFP RRSIG NSEC DNSKEY SPF >> >> workingexample.email. *IN DNSKEY* 257 3 8 >> AwEAAeLetJzQo74Zi/qXJjF4JoF37qu0rXTWQzn7yUC058w76SrPVV4a >> hZIPI9oBNcWn5yeP6qR/bIkBM1OKfP0qGgLRyLAZPdsB36q1BnEfLrbi >> trZmlGY8+AnUxjpPbEscT/g47UJiN9exBs0wAPdwwTRypYwBOVzP7cRP >> TiPf0QlMslMrgd9lpFhFQblj97sZiVTZCyJM2FhKo3bdwDpde6fkJV0I >> Ilrj3X47hJMFwW3UbA+H8UE/8jWrhrmSPi5b/uxbMY9qkOeaFm/LexC6 >> tr89pCesYrnIqceQTsvJl7+HOB1WNzW4vkC0idzo1kq65Woo8FOvzM7x HukCPrlyWvc= >> >> workingexample.email. *IN DNSKEY* 256 3 8 >> AwEAAbCKGjHIFvhlPpVeReXSDymlwlyeHwejRF0vBp7GTdFv2qCRI1Wc >> 9GDhVuUWmBv9gxynqQgf4K460RMia1ElZjOFQUZwB4i/OgvfAedEdjov >> r+G7fHt45FShmR5WLuPOP1EGvJAki18rJgZL99PY4bAqq+s7Ut/SCmAs >> gKsy1WkL0cfEyl4qWPDv5YRbM4NBCZUZfO7nzmjuvIY+rlGEC00= >> >> So, it would appear that no 'IN NSEC' or '
