Re: dnssec-keyfromlabel-pkcs11 label format
My bad, there was a newline /n character at the pin file. -- View this message in context: http://bind-users-forum.2342410.n4.nabble.com/dnssec-keyfromlabel-pkcs11-label-format-tp1382p1413.html Sent from the Bind-Users forum mailing list archive at Nabble.com. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
difference in responses between UDP and TCP
Hello, Wondering why we are seeing different serial numbers from a bind authoritative server for requests over UDP and TCP. dig +tcp soa @ns.example.com example.com +short ns1.example.com. hostmaster.example.com. 2017061505 10800 3600 360 3600 dig +notcp soa @ns.example.com example.com +short ns1.example.com. hostmaster.example.com. 2017061506 10800 3600 360 3600 any idea? thanks, -- arun ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: difference in responses between UDP and TCP
Hello Anand, Thanks for the response. > > Perhaps the zone got updated between your queries. > > Have you (as one should in a proper experiment) repeated these queries > to demonstrate that this is happening consistently? > Yes, it is a consistent behaviour. It happens with some of our secondaries. for example: dig +tcp @212.26.18.3 pub.sa serial: 2017061804 dig +notcp @212.26.18.3 pub.sa serial: 2017061805 > If it is happening consistently, then it's possible that you have *two* > DNS servers listening on the server, one on the UDP socket, and another > on the TCP socket, and they're loaded with different zones. > To my understanding, they are running bind with one configuration. Will double check anyway. thanks, arun ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: difference in responses between UDP and TCP
Hello Tony, > > Without knowing the server host name and zone name there could be lots of > different reasons, so there isn't really any way to answer. > > True, dig +tcp @212.26.18.3 pub.sa serial: 2017061804 dig +notcp @212.26.18.3 pub.sa serial: 2017061805 -- arun ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: difference in responses between UDP and TCP
> > If it is happening consistently, then it's possible that you have *two* >> DNS servers listening on the server, one on the UDP socket, and another >> on the TCP socket, and they're loaded with different zones. >> > > You are right, seems there are two DNS process listening TCP and UDP. :) > To my understanding, they are running bind with one configuration. Will > double check anyway. > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
native pkcs#11 and dynamic signing issues
Running bind 9.10.3-7.P2, with softhsm-2.0.0rc1-3 on Fedora 23.
I was able to sign the zones with dnssec-signzone-pkcs11 command line,
# dnssec-signzone-pkcs11 example.com
Verifying the zone using the following algorithms: RSASHA2.
Zone fully signed:
Algorithm: RSASHA2: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
but with dynamic signing the logs were showing
"dns_dnssec_findmatchingkeys: error reading key file
Kexample.com.+008+01234.private: no engine"
Zone configuration:
zone "example.com" IN {
type master;
file "zones/example.com";
auto-dnssec maintain;
inline-signing yes;
};
# rndc sign example.com
received control channel command 'sign example.com'
zone example.com/IN (signed): reconfiguring zone keys
dns_dnssec_findmatchingkeys: error reading key file
Kexample.com.+008+01234.private: no engine
dns_dnssec_findmatchingkeys: error reading key file
Kexample.+008+05678.private: no engine
zone example.com/IN (signed): next key event: 21-Jan-2016 13:36:59.184
any idea?
Thanks,
Arun
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: native pkcs#11 and dynamic signing issues
Thanks for the response. My understanding is that, when you use native pkcs#11 it is not dependent on the openssl engine. But yes the bind is chrooted. I tried to run it without chroot and still got the same issue. The private key reference file created by dnsseckey-fromlabel has the Engine defined as "Engine: cGtjczExAA==" -- arun On Thu, Jan 21, 2016 at 1:01 PM, Tony Finch wrote: > Arun N S wrote: > > > > but with dynamic signing the logs were showing > > "dns_dnssec_findmatchingkeys: error reading key file > > Kexample.com.+008+01234.private: no engine" > > > > any idea? > > Wild guess (I know nothing about PKCS#11): are you running chrooted, and > if so is the relevant OpenSSL engine plugin in usr/lib/engines in the > chroot? > > Tony. > -- > f.anthony.n.finchhttp://dotat.at/ > Forth, Tyne, Dogger: South 4 or 5, backing southeast 6 or 7, perhaps gale 8 > later. Moderate or rough, occasionally slight at first. Showers, then rain. > Good, occasionally moderate. > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: native pkcs#11 and dynamic signing issues
The issue is fixed. I was using the default named daemon, which is not aware of the native pkcs#11 compiled in. Started named-pkcs11 fixed a couple of permission issues, and it worked. # rndc sign example.com received control channel command 'sign example.com' zone sa/IN (signed): reconfiguring zone keys # zone example.com/IN (signed): next key event: 24-Jan-2016 12:29:40.234 zone example.com/IN (signed): sending notifies (serial 2016012006) -- arun On Thu, Jan 21, 2016 at 1:08 PM, Arun N S wrote: > Thanks for the response. > > My understanding is that, when you use native pkcs#11 it is not dependent > on the openssl engine. But yes the bind is chrooted. I tried to run it > without chroot and still got the same issue. The private key reference file > created by dnsseckey-fromlabel has the Engine defined as "Engine: > cGtjczExAA==" > > -- > arun > > > On Thu, Jan 21, 2016 at 1:01 PM, Tony Finch wrote: > >> Arun N S wrote: >> > >> > but with dynamic signing the logs were showing >> > "dns_dnssec_findmatchingkeys: error reading key file >> > Kexample.com.+008+01234.private: no engine" >> > >> > any idea? >> >> Wild guess (I know nothing about PKCS#11): are you running chrooted, and >> if so is the relevant OpenSSL engine plugin in usr/lib/engines in the >> chroot? >> >> Tony. >> -- >> f.anthony.n.finchhttp://dotat.at/ >> Forth, Tyne, Dogger: South 4 or 5, backing southeast 6 or 7, perhaps gale >> 8 >> later. Moderate or rough, occasionally slight at first. Showers, then >> rain. >> Good, occasionally moderate. >> > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to keep the KSK private key offline with BIND dynamic signing?
Tried to include DNSKEY, RRSIG for the KSK manually in the unsigned zone file along with the ZSK key ($INCLUDE dynamic/example.com.+008+012345.key). The dnssec-signzone succeeded, even though it was complaining about the path for KSK. # dnssec-signzone-pkcs11 example.com dnssec-signzone: warning: dns_dnssec_keylistfromrdataset: error reading private key file example.com/RSASHA256/23456: file not found Verifying the zone using the following algorithms: RSASHA256. Zone fully signed: Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked ZSKs: 1 active, 0 stand-by, 0 revoked # dig @localhost example.com dnskey +dnssec ;; ANSWER SECTION: example.com. 3600IN DNSKEY 256 3 8 AwEAAdkaiQFx+JpWOla3vhucotyePO/ example.com. 3600IN DNSKEY 257 3 8 AwEAAZt2BKCYKvu6Avr. But when I tried to include the same unsigned zone file and used rndc tool (rndc sign example.com) or named restart the signed zone file generated does not have the DNSKEY for KSK. # dig @localhost example.com dnskey +dnssec ;; ANSWER SECTION: example.com. 3600IN DNSKEY 256 3 8 AwEAAdkaiQFx+JpWOla3vhucotyePO/ Any ideas? -- arun ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
