Re: Question about DNSSEC

Thanks guys! As usual, you've taught me an invaluable lesson. Regards, Bob On Fri, Nov 1, 2024 at 11:42 AM Evan McKinney wrote: > Even with a CNAME record, the delv command will validate each step of the > resolution. You can use the +vtrace option to see each validation and > +mtrace to see

Re: Question about DNSSEC

Sorry, I get the DO and AD flags confused. I see now that DIG is telling me that somewhere in the chain there is an entry that is not validated. I was doing everything manually. And yes, I saw that DELV runs the chain. Thanks again, Bob -- Visit https://lists.isc.org/mailman/listinfo/bind-user

Re: Question about DNSSEC

Even with a CNAME record, the delv command will validate each step of the resolution. You can use the +vtrace option to see each validation and +mtrace to see each individual message. -Evan Get BlueMail for Desktop Ondřej Surý wrote: DO flag is indication to “do DNSSEC”, it

Re: Question about DNSSEC

DO flag is indication to “do DNSSEC”, it has no other meaning. You should be looking for AD flag.As for delv output - it prints out which names are validated and those that are not. I don’t see anything wrong here.--Ondřej Surý — ISC (He/Him)My working hours and your working hours may be different.

Re: Question about DNSSEC

The host is www.irs.gov. A further question. DIG sets the DO flag even though the second and third entries in the CNAME chain are not signed. There's basically no indication that there's really any issue. DELV indicates the host as "fully validated" then flags the second entry in the CNAME chain

Re: Question about DNSSEC

Hi there, On Thu, 31 Oct 2024, Crist Clark wrote: Name names. DNS is out there in public. There are a LOT of US .gov sites where the .gov is all signed, but it ends up in $BIGCLOUDPROVIDER that is not. www.gsa.gov www.state.gov www.house.gov www.senate.gov www.cia.gov www.cisa.gov (*ehem*) ww

Re: Question about DNSSEC

Name names. DNS is out there in public. There are a LOT of US .gov sites where the .gov is all signed, but it ends up in $BIGCLOUDPROVIDER that is not. www.gsa.gov www.state.gov www.house.gov www.senate.gov www.cia.gov www.cisa.gov (*ehem*) www.get.gov (not even .gov is signed?!) Same thing for

Re: Question about DNSSEC

> On 1 Nov 2024, at 09:15, Bob McDonald wrote: > > If a host is defined as a CNAME chain where the domain of the host is DNSSEC > signed but the domain(S) of the target(s) in the CNAME chain are not, does > that mean that the entry really isn't DNSSEC protected? Correct. Every element of t

Question about DNSSEC

If a host is defined as a CNAME chain where the domain of the host is DNSSEC signed but the domain(S) of the target(s) in the CNAME chain are not, does that mean that the entry really isn't DNSSEC protected? I can list an example dig for the host in question but I'm reluctant to do so as it's a US

Re: question about DNSSEC with PKCS11

1. since I use HSM(now is softhsm) to store the DNSSEC key, does it more insecure to convert the key(s) from HSM to .private file with dnssec-keyfromlabel ? keys are not actually 'converted' with this utility; instead the .private file links to the corresponding private (and typically unexportab

Re: question about DNSSEC with PKCS11

Hi, The KB article was written before dnssec-policy. Unfortunately, OpenSSL with engine_pkcs11 does not support creating keys. So if you want to use an HSM with dnssec-policy, you will need to create the keys yourself and you can then import them in the key-directory with dnssec-keyfromlabel.

question about DNSSEC with PKCS11

hi, I have tried the DNSSEC sign testing according the document, https://kb.isc.org/docs/bind-9-pkcs11 (and section 5.5 of the Bv9ARM of version 9.18.16) I have two questions about it, 1. since I use HSM(now is softhsm) to store the DNSSEC key, does it more insecure to convert the key(s) from HS

Re: A few conceptual question about dnssec.

In message , Kevin Oberman writes: > On Fri, Mar 2, 2012 at 11:17 PM, dE . wrote: > > On 02/18/12 00:36, Gaurav kansal wrote: > > > > > > > > > > > > Firstly, where do we get the public key for the DS records? > > > > Can you clarify your question??? > > > > > > > > Second, why do I get multiple

Re: A few conceptual question about dnssec.

On Fri, Mar 2, 2012 at 11:17 PM, dE . wrote: > On 02/18/12 00:36, Gaurav kansal wrote: > > > > > > Firstly, where do we get the public key for the DS records? > > Can you clarify your question??? > > > > Second, why do I get multiple DS records as response? – > > You will always get a 2 DS Records

Re: A few conceptual question about dnssec.

On 03/03/12 12:47, dE . wrote: On 02/18/12 00:36, Gaurav kansal wrote: Firstly, where do we get the public key for the DS records? Can you clarify your question??? Second, why do I get multiple DS records as response? -- You will always get a 2 DS Records in response. One for SHA-1 and se

Re: A few conceptual question about dnssec.

On 02/18/12 00:36, Gaurav kansal wrote: Firstly, where do we get the public key for the DS records? Can you clarify your question??? Second, why do I get multiple DS records as response? -- You will always get a 2 DS Records in response. One for SHA-1 and second for SHA-256. I was read

Re: A few conceptual question about dnssec.

dE . wrote: > > Ok, so the DS record is not encrypted. DNSSEC is about signatures: nothing is encrypted. DS records are signed: a DS RRset has an RRSIG. For example, ; <<>> DiG 9.8.1-P1 <<>> +multi +dnssec DS isc.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: N

Re: A few conceptual question about dnssec.

On 02/18/12 22:55, Jeremy C. Reed wrote: I started writing a book introducing DNSSEC a few years ago. Would you like to read a draft of it? Book on DNSSEC? Ok. Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe

Re: A few conceptual question about dnssec.

On 02/18/2012 04:35 PM, dE . wrote: On 02/18/12 00:36, Gaurav kansal wrote: Firstly, where do we get the public key for the DS records? Can you clarify your question??? The DS record is a signature right? Wrong. You're asking a lot of basic questions here. Maybe you could go off and

Re: A few conceptual question about dnssec.

On 02/18/12 22:14, Axel Rau wrote: Am 18.02.2012 um 17:35 schrieb dE .: The DS record is a signature right? No its the hash of a DNSKEY (KSK) in the child zone. The DS is signed with a RRSIG. Axel --- PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius Thanks for the clari

Re: A few conceptual question about dnssec.

On 02/18/12 02:41, Tony Finch wrote: dE . wrote: Firstly, where do we get the public key for the DS records? A zone's DNSKEY RRset contains its public keys, and these are hashed to make its DS records. For example, $ dig +nottl +noall +answer DS isc.org | perl -pe 's/\s+(?!$)/ /g' isc.org. I

Re: A few conceptual question about dnssec.

Am 18.02.2012 um 17:35 schrieb dE .: > The DS record is a signature right? No its the hash of a DNSKEY (KSK) in the child zone. The DS is signed with a RRSIG. Axel --- PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius ___ Please vis

Re: A few conceptual question about dnssec.

On 02/18/12 00:36, Gaurav kansal wrote: Firstly, where do we get the public key for the DS records? Can you clarify your question??? The DS record is a signature right? It has to be decrypted using a public key and the decrypted hash has to be compared to the DNSKEY's hash. So what I'm a

Re: A few conceptual question about dnssec.

dE . wrote: > Firstly, where do we get the public key for the DS records? A zone's DNSKEY RRset contains its public keys, and these are hashed to make its DS records. For example, $ dig +nottl +noall +answer DS isc.org | perl -pe 's/\s+(?!$)/ /g' isc.org. IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1

RE: A few conceptual question about dnssec.

about dnssec. [ Quoting < <mailto:gaurav.kan...@nic.in> gaurav.kan...@nic.in> at 00:36 on Feb 18 in "RE: A few conceptual..." ] > Firstly, where do we get the public key for the DS records? > > Can you clarify your question??? > > > > Second, w

Re: A few conceptual question about dnssec.

[ Quoting at 00:36 on Feb 18 in "RE: A few conceptual..." ] > Firstly, where do we get the public key for the DS records? > > Can you clarify your question??? > > > > Second, why do I get multiple DS records as response? – > > You will always get a 2 DS Records in response. One for SHA-1 and

RE: A few conceptual question about dnssec.

Firstly, where do we get the public key for the DS records? Can you clarify your question??? Second, why do I get multiple DS records as response? - You will always get a 2 DS Records in response. One for SHA-1 and second for SHA-256. _ dig +dnssec -t DS isc.org @b0.org.afilia

A few conceptual question about dnssec.

Firstly, where do we get the public key for the DS records? Second, why do I get multiple DS records as response? -- dig +dnssec -t DS isc.org @b0.org.afilias-nst.org. ; <<>> DiG 9.8.1 <<>> +dnssec -t DS isc.org @b0.org.afi