Re: [Pdns-users] PDNS Authoritative DNSSEC Question

Mon, 10 Feb 2014 01:00:06 -0800 

Hello Chris,

SUMMARY: the DNSSEC debugger is broken and your domain is fine.

On 07 Feb 2014, at 12:22 , Chris <li...@shthead.com> wrote:

> The signing errored due to the 'type' column not allowing NULL. I updated the 
> schema to allow this.

Good.

> 2. I disabled dnssec on the domain and enabled it again:
> 
> # pdnssec --config-dir=/etc/powerdns --config-name=internal disable-dnssec 
> r-9.net
> # pdnssec --config-dir=/etc/powerdns --config-name=internal secure-zone 
> r-9.net
> Securing zone with rsasha256 algorithm with default key size
> Zone r-9.net secured
> Adding NSEC ordering information
> 
> 3. I set nsec3 narrow:
> 
> # pdnssec --config-dir=/etc/powerdns --config-name=internal set-nsec3 r-9.net 
> '1 1 10 ffee' narrow
> NSEC3 (opt-out) set, please rectify-zone if your backend needs it

Also good. Don’t forget to run the rectify-zone (but this is not the issue 
here).

> From what I can see the DS records should have a key tag of 61424.

Correct!

> 5. I check using the verisign labs DNSSEC debugger to see if it passes, 
> http://dnssec-debugger.verisignlabs.com/r-9.net.
> 
> I get a couple of errors and warnings, mainly: The DS RRset was not signed by 
> any keys in the chain-of-trust

This is NOT an issue with your zone. The validator is saying that .net failed 
to provide a valid signature for the DS set it is serving — which is untrue, 
and even it if was true, it would not be something you can control. This is a 
bug in the Verisign DNSSEC debugger.

Meanwhile, any testing I can think of locally suggests that your domain is 
working well and is secured correctly.
 
> Using the same process as above on another domain with no SRV records results 
> in no errors.

The SRV records do not appear to be part of the issue here.

Kind regards,
-- 
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Reply via email to