Hi there,
I migrated dns service from bind 9.9.x to Knot 1.4.1, copied
unsigned zone and keys to knot directory, started knot, eh signed it,
all seems to be OK, no complains.
But when I test it, I got RSA verification failed:
http://dnscheck.labs.nic.cz/?time=1390380204&id=100274&view=advance…
Anyway - DNSViz test passed OK:
http://dnsviz.net/d/fnhk.cz/dnssec/
Keys are from named, zone signed by named with this keys passwd OK.
Knot doesn't complain for the keys, sign zone and zone is trasferred
to slaves:
Jan 22 09:37:54 slimak knot[14186]: Semantic checks completed for
zone=fnhk.cz.
Jan 22 09:37:54 slimak knot[14186]: Zone 'fnhk.cz.' reloaded (serial
2014012201)
Jan 22 09:37:54 slimak knot[14186]: DNSSEC: Zone fnhk.cz. - Signing started...
Jan 22 09:37:54 slimak knot[14186]: DNSSEC: Zone fnhk.cz. - - Key is
valid, tag 64431, file Kfnhk.cz.+005+64431.private, ZSK, active, public
Jan 22 09:37:54 slimak knot[14186]: DNSSEC: Zone fnhk.cz. - - Key is
valid, tag 26812, file Kfnhk.cz.+005+26812.private, KSK, active, public
Jan 22 09:37:54 slimak knot[14186]: DNSSEC: Zone fnhk.cz. -
Successfully signed.
Jan 22 09:37:54 slimak knot[14186]: DNSSEC: Zone fnhk.cz. - planning
next resign 2582961s(717h) from now.
Jan 22 09:37:54 slimak knot[14186]: Loaded 3 out of 3 zones.
Jan 22 09:37:54 slimak knot[14186]: Applied differences of 'fnhk.cz.'
to zonefile.
Jan 22 09:37:54 slimak knot[14186]: Configuration reloaded.
Jan 22 09:37:54 slimak knot[14186]: NOTIFY of
'128/27.123.113.195.in-addr.arpa.' to '195.113.115.171@53': Query
issued (serial 2010060801).
Jan 22 09:37:54 slimak knot[14186]: NOTIFY of
'128/27.123.113.195.in-addr.arpa.' to '195.113.123.91@53': Query
issued (serial 2010060801).
Jan 22 09:37:54 slimak knot[14186]: NOTIFY of
'64/26.123.113.195.in-addr.arpa.' to '195.113.115.171@53': Query
issued (serial 2013010801).
Jan 22 09:37:54 slimak knot[14186]: NOTIFY of
'64/26.123.113.195.in-addr.arpa.' to '195.113.123.91@53': Query issued
(serial 2013010801).
Jan 22 09:37:54 slimak knot[14186]: NOTIFY of 'fnhk.cz.' to
'195.113.115.171@53': Query issued (serial 2014012202).
Jan 22 09:37:54 slimak knot[14186]: NOTIFY of 'fnhk.cz.' to
'195.113.123.91@53': Query issued (serial 2014012202).
Jan 22 09:37:55 slimak knot[14186]: Outgoing IXFR of 'fnhk.cz.' to
'195.113.123.91@33890': Started (serial 2014012102 -> 2014012202).
Jan 22 09:37:55 slimak knot[14186]: Outgoing IXFR of 'fnhk.cz.' to
'195.113.123.91@33890': Serial 2014012102 -> 2014012202.
Jan 22 09:37:55 slimak knot[14186]: Outgoing IXFR of 'fnhk.cz.' to
'195.113.123.91@33890': Finished in 0.00s.
Jan 22 09:37:55 slimak knot[14186]: Outgoing IXFR of 'fnhk.cz.' to
'195.113.115.171@58470': Started (serial 2014012102 -> 2014012202).
Jan 22 09:37:55 slimak knot[14186]: Outgoing IXFR of 'fnhk.cz.' to
'195.113.115.171@58470': Serial 2014012102 -> 2014012202.
Jan 22 09:37:55 slimak knot[14186]: Outgoing IXFR of 'fnhk.cz.' to
'195.113.115.171@58470': Finished in 0.00s.
Jan 22 09:41:40 slimak knot[14186]: Outgoing AXFR of 'fnhk.cz.' to
'195.113.123.91@42483': Started (serial 2014012202).
Jan 22 09:41:40 slimak knot[14186]: Outgoing AXFR of 'fnhk.cz.' to
'195.113.123.91@42483': Finished in 0.00s.
Thanks and best regards
J.Karliak.
Cituji Josef Karliak <karliak(a)ajetaci.cz>cz>:
Hi,
thanks for answer, I wrote authorized request do web4u, I'll see
and let you know ..
Thanks
J.Karliak.
Cituji Daniel Salzman <daniel.salzman(a)nic.cz>cz>:
Hi Josef,
The configuration of Knot seems to be configured well, but you
should ask your registrar
how to set up the KEYSET correctly, since this problem is out of our scope.
DS record for ajetaci.cz is still not in cz. zone:
http://dnssec-debugger.verisignlabs.com/ajetaci.cz
Dan
On 01/20/2014 07:26 AM, Josef Karliak wrote:
Hi,
I generate keys (KSK and ZSK) in the directory
"/var/lib/knot/ajetaci.cz.keys" by dnssec-keygen command:
dnssec-keygen -r /dev/urandom -f KSK ajetaci.cz
dnssec-keygen -r /dev/urandom ajetaci.cz
I set it in the knot.conf:
...
...
ajetaci.cz {
dnssec-enable on;
dnssec-keydir "ajetaci.cz.keys";
file "ajetaci.cz";
xfr-out slave; # allow outgoing transfers
notify-out slave;
ixfr-from-differences on;
semantic-checks on;
}
...
...
After "knotc reload" knot signs zone as I can see it in the log:
Jan 20 07:18:05 celer knot[809]: DNSSEC: Zone ajetaci.cz. - - Key
is valid, tag 36256, file Kajetaci.cz.+005+36256.private, KSK,
active, public
Jan 20 07:18:05 celer knot[809]: DNSSEC: Zone ajetaci.cz. - - Key
is valid, tag 11937, file Kajetaci.cz.+005+11937.private, ZSK,
active, public
Jan 20 07:18:05 celer knot[809]: DNSSEC: Zone ajetaci.cz. -
Successfully signed.
Jan 20 07:18:05 celer knot[809]: DNSSEC: Zone ajetaci.cz. -
planning next resign 2539522s(705h) from now.
I put KSK key "Kajetaci.cz.+005+36256.key" to my KEYSET
"KS-JOSEF-KARLIAK-BPBG" over my registrar's web administration
(web4u.cz). So the key is published too. I hope so. So what I
missed ?
Thanks and best regards
J.Karliak.
Cituji Jan Včelák <jan.vcelak(a)nic.cz>cz>:
Hello,
> trosku jsem se uz ztratil s dnssecem s knotem. Vygeneroval jsem si
> klice, rekl knotu, kde ma klice hledat, knot je podepsal, zadna stiznost
> od nej. Klic jsem zadal i do keysetu na web4u, to proslo taky. Ale pokud
> si udelam drill my zony, drill oznami, ze mi chybi DS zaznam nebo
> trusted key:
> drill -TD ajetaci.cz
The parent zone (cz) does not contain the DS record for your zone
(ajetaci.cz), which means the delegation is insecure. I guess the keyset
is not configured correctly.
% kdig @a.ns.nic.cz ajetaci.cz DS
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 14190
;; Flags: qr aa rd; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 0
;; QUESTION SECTION:
;; ajetaci.cz. 0 IN DS
;; AUTHORITY SECTION:
cz. 900 IN SOA a.ns.nic.cz.
hostmaster.nic.cz. 1390145849 900 300 604800 900
;; Received 84 B
;; Time 2014-01-19 17:03:16 CET
;; From 194.0.12.1#53(UDP) in 14.8 ms
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
--
Ma domena pouziva zabezpeceni a kontrolu SPF (
www.openspf.org) a
DomainKeys/DKIM (with ADSP) . Pokud mate problemy s dorucenim emailu,
zacnete pouzivat metody overeni puvody emailu zminene vyse. Dekuji.
My domain use SPF (
www.openspf.org) and DomainKeys/DKIM (with ADSP)
policy and check. If you've problem with sending emails to me, start
using email origin methods mentioned above. Thank you.
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
--
Ma domena pouziva zabezpeceni a kontrolu SPF (
www.openspf.org) a
DomainKeys/DKIM (with ADSP) . Pokud mate problemy s dorucenim emailu,
zacnete pouzivat metody overeni puvody emailu zminene vyse. Dekuji.
My domain use SPF (
www.openspf.org) and DomainKeys/DKIM (with ADSP)
policy and check. If you've problem with sending emails to me, start
using email origin methods mentioned above. Thank you.
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.