Hi,
thanks for answer, I wrote authorized request do web4u, I'll see
and let you know ..
Thanks
J.Karliak.
Cituji Daniel Salzman <daniel.salzman(a)nic.cz>cz>:
Hi Josef,
The configuration of Knot seems to be configured well, but you
should ask your registrar
how to set up the KEYSET correctly, since this problem is out of our scope.
DS record for ajetaci.cz is still not in cz. zone:
http://dnssec-debugger.verisignlabs.com/ajetaci.cz
Dan
On 01/20/2014 07:26 AM, Josef Karliak wrote:
Hi,
I generate keys (KSK and ZSK) in the directory
"/var/lib/knot/ajetaci.cz.keys" by dnssec-keygen command:
dnssec-keygen -r /dev/urandom -f KSK ajetaci.cz
dnssec-keygen -r /dev/urandom ajetaci.cz
I set it in the knot.conf:
...
...
ajetaci.cz {
dnssec-enable on;
dnssec-keydir "ajetaci.cz.keys";
file "ajetaci.cz";
xfr-out slave; # allow outgoing transfers
notify-out slave;
ixfr-from-differences on;
semantic-checks on;
}
...
...
After "knotc reload" knot signs zone as I can see it in the log:
Jan 20 07:18:05 celer knot[809]: DNSSEC: Zone ajetaci.cz. - - Key
is valid, tag 36256, file Kajetaci.cz.+005+36256.private, KSK,
active, public
Jan 20 07:18:05 celer knot[809]: DNSSEC: Zone ajetaci.cz. - - Key
is valid, tag 11937, file Kajetaci.cz.+005+11937.private, ZSK,
active, public
Jan 20 07:18:05 celer knot[809]: DNSSEC: Zone ajetaci.cz. -
Successfully signed.
Jan 20 07:18:05 celer knot[809]: DNSSEC: Zone ajetaci.cz. -
planning next resign 2539522s(705h) from now.
I put KSK key "Kajetaci.cz.+005+36256.key" to my KEYSET
"KS-JOSEF-KARLIAK-BPBG" over my registrar's web administration
(web4u.cz). So the key is published too. I hope so. So what I
missed ?
Thanks and best regards
J.Karliak.
Cituji Jan Včelák <jan.vcelak(a)nic.cz>cz>:
Hello,
trosku jsem se uz ztratil s dnssecem s knotem.
Vygeneroval jsem si
klice, rekl knotu, kde ma klice hledat, knot je podepsal, zadna stiznost
od nej. Klic jsem zadal i do keysetu na web4u, to proslo taky. Ale pokud
si udelam drill my zony, drill oznami, ze mi chybi DS zaznam nebo
trusted key:
drill -TD ajetaci.cz
The parent zone (cz) does not contain the DS record for your zone
(ajetaci.cz), which means the delegation is insecure. I guess the keyset
is not configured correctly.
% kdig @a.ns.nic.cz ajetaci.cz DS
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 14190
;; Flags: qr aa rd; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 0
;; QUESTION SECTION:
;; ajetaci.cz. 0 IN DS
;; AUTHORITY SECTION:
cz. 900 IN SOA a.ns.nic.cz.
hostmaster.nic.cz. 1390145849 900 300 604800 900
;; Received 84 B
;; Time 2014-01-19 17:03:16 CET
;; From 194.0.12.1#53(UDP) in 14.8 ms
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
--
Ma domena pouziva zabezpeceni a kontrolu SPF (
www.openspf.org) a
DomainKeys/DKIM (with ADSP) . Pokud mate problemy s dorucenim emailu,
zacnete pouzivat metody overeni puvody emailu zminene vyse. Dekuji.
My domain use SPF (
www.openspf.org) and DomainKeys/DKIM (with ADSP)
policy and check. If you've problem with sending emails to me, start
using email origin methods mentioned above. Thank you.
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.