Re: [knot-dns-users] Knot 1.4.0 a retezec duvery.

20 Led 2014

Hi Josef,
The configuration of Knot seems to be configured well, but you should 
ask your registrar
how to set up the KEYSET correctly, since this problem is out of our scope.

DS record for ajetaci.cz is still not in cz. zone:
http://dnssec-debugger.verisignlabs.com/ajetaci.cz

Dan

On 01/20/2014 07:26 AM, Josef Karliak wrote:
...
    Hi,
   I generate keys (KSK and ZSK) in the directory 
 "/var/lib/knot/ajetaci.cz.keys" by dnssec-keygen command:
   dnssec-keygen -r /dev/urandom -f KSK ajetaci.cz
   dnssec-keygen -r /dev/urandom ajetaci.cz

   I set it in the knot.conf:
 ...
 ...
        ajetaci.cz {
         dnssec-enable on;
         dnssec-keydir "ajetaci.cz.keys";
         file "ajetaci.cz";
         xfr-out slave; # allow outgoing transfers
         notify-out slave;
         ixfr-from-differences on;
         semantic-checks on;
        }
 ...
 ...

   After "knotc reload" knot signs zone as I can see it in the log:
 Jan 20 07:18:05 celer knot[809]: DNSSEC: Zone ajetaci.cz. - - Key is 
 valid, tag 36256, file Kajetaci.cz.+005+36256.private, KSK, active, 
 public
 Jan 20 07:18:05 celer knot[809]: DNSSEC: Zone ajetaci.cz. - - Key is 
 valid, tag 11937, file Kajetaci.cz.+005+11937.private, ZSK, active, 
 public
 Jan 20 07:18:05 celer knot[809]: DNSSEC: Zone ajetaci.cz. - 
 Successfully signed.
 Jan 20 07:18:05 celer knot[809]: DNSSEC: Zone ajetaci.cz. - planning 
 next resign 2539522s(705h) from now.

   I put KSK key "Kajetaci.cz.+005+36256.key" to my KEYSET 
 "KS-JOSEF-KARLIAK-BPBG" over my registrar's web administration 
 (web4u.cz). So the key is published too. I hope so. So what I missed ?
   Thanks and best regards
   J.Karliak.

 Cituji Jan Včelák &lt;jan.vcelak(a)nic.cz&gt;cz>:

  Hello,

    trosku jsem se uz ztratil s dnssecem s knotem.
Vygeneroval jsem si
 klice, rekl knotu, kde ma klice hledat, knot je podepsal, zadna 
 stiznost
 od nej. Klic jsem zadal i do keysetu na web4u, to proslo taky. Ale 
 pokud
 si udelam drill my zony, drill oznami, ze mi chybi DS zaznam nebo
 trusted key:
 drill -TD ajetaci.cz 
 The parent zone (cz) does not contain the DS record for your zone
 (ajetaci.cz), which means the delegation is insecure. I guess the keyset
 is not configured correctly.

 % kdig @a.ns.nic.cz ajetaci.cz DS
 ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 14190
 ;; Flags: qr aa rd; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 0

 ;; QUESTION SECTION:
 ;; ajetaci.cz.          0       IN      DS

 ;; AUTHORITY SECTION:
 cz.                     900     IN      SOA     a.ns.nic.cz.
 hostmaster.nic.cz. 1390145849 900 300 604800 900

 ;; Received 84 B
 ;; Time 2014-01-19 17:03:16 CET
 ;; From 194.0.12.1#53(UDP) in 14.8 ms

 _______________________________________________
 knot-dns-users mailing list
 knot-dns-users(a)lists.nic.cz
 https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Re: [knot-dns-users] Knot 1.4.0 a retezec duvery.