26 Bře
2014
26 Bře
'14
9:28
Hi there,
I migrated our primary DNS from Bind to Knot. I runned some tests by
nic.cz's dnscheck, but there is an error:
DNSSEC signature RRSIG(fnhk.cz/IN/SOA/64431) fails to validate the RR set:
key 1: keytag does not match key 2:RSA Verification failed
Link to test:
http://dnscheck.labs.nic.cz/?time=1395821962&id=102810&view=advance…
Knot doesn't complains to anything in the system log, fnhk.cz zone is
succefully signed.
What did I missed ?
Thanks and best regards
J.Karliak.
26 Bře
26 Bře
11:03
Huh,
maybe I've found an error - I copied to knot unsigned zone (but named
signed it before and propagate it as a .signed zone). But knot signed
the unsigned zone and propagate it as knot's signed zone has a diferent
lifetime - SOA record. See "http://dnsviz.net/d/fnhk.cz/UzKZgg/dnssec/".
As I can see, there are two signs of SOA records. One "older", that was
signed by bind on Monday that is somewhere in the dns cache.
Second, "newer" SOA record is Knot's signing from today.
So I thing that the problem disapears after record's lifetime. Is it
right ?
But how to prevent this "double" record problem ? Or did I've use
Bind's
signed zone for Knot ?
Thanks and best regards
Josef Karliak.
Hi there,
I migrated our primary DNS from Bind to Knot. I runned some tests by
nic.cz's dnscheck, but there is an error:
DNSSEC signature RRSIG(fnhk.cz/IN/SOA/64431) fails to validate the RR set:
key 1: keytag does not match key 2:RSA Verification failed
Link to test:
http://dnscheck.labs.nic.cz/?time=1395821962&id=102810&view=advance…
Knot doesn't complains to anything in the system log, fnhk.cz zone is
succefully signed.
What did I missed ?
Thanks and best regards
J.Karliak.
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
12:24
Hello,
please, can you check the XFR configuration between your master and slaves
first?
Your master server (slimak.fnhk.cz) and the slaves (dns2.fnhk.cz, ns.hknet.cz)
return SOA with the same serial, but the content of the zone is obviously
different. The response from the slaves contain some additional signatures.
Jan
% kdig fnhk.cz SOA @slimak.fnhk.cz. +dnssec
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 39851
;; Flags: qr aa rd; QUERY: 1; ANSWER: 2; AUTHORITY: 4; ADDITIONAL: 5
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B
;; QUESTION SECTION:
;; fnhk.cz. 0 IN SOA
;; ANSWER SECTION:
fnhk.cz. 86400 IN SOA slimak.fnhk.cz.
matous.fnhk.cz. 2014032504 14400 3600 1209600 9000
fnhk.cz. 86400 IN RRSIG SOA 5 2 86400 20140425080529
20140326080529 64431 fnhk.cz.
c49YFrzdpSiCZ0UE/h2or5LXNOL2SU8ufqQ9g/NxqPxLRD/be0U0A9xxOxIcSXFhXMwp4cNmZe1ZjWKKD83mlXTJyWVSFYCCgYVw4Y8QeH8s7peDed/kpQLNKHKqJLvJzjdjI0YVYApj6/0pkMz59EiucpX5eGpdhDlG8ADNjsg=
;; AUTHORITY SECTION:
fnhk.cz. 86400 IN NS ns.hknet.cz.
fnhk.cz. 86400 IN NS dns2.fnhk.cz.
fnhk.cz. 86400 IN NS slimak.fnhk.cz.
fnhk.cz. 86400 IN RRSIG NS 5 2 86400 20140425075238
20140326075238 64431 fnhk.cz.
qaQoCR6xpdl3PEEwMpobTFkfDcqMPc85f4XwTBRQ2mht56za18r3X8dMR6iXMhHOzFaq5kXSVHgOXbvivKpYniCyjzitUc2tHvpungbipr4+hahND43GoAQ2u+XuxsK5fCQ0WHrWHfrV9Z0opgAXtEGNwxVv44Ls3UOwNJ32Cpk=
;; ADDITIONAL SECTION:
dns2.fnhk.cz. 86400 IN A 77.48.63.10
dns2.fnhk.cz. 86400 IN RRSIG A 5 3 86400 20140425075238
20140326075238 64431 fnhk.cz.
Dm5mGHnHHJ8G4+dfePO3NsYJMcDThFYeaYsl50DeH6BXpkc9On1MTSNNGvsYP7pF0vJ2o/h0oGQOLAPNgI1neXXd2gQ/QNMHzQHKr1RmeL0gAPmUlm0eR40G3KlWlQcaMo8P95soQc9hvV+fmYxMsM+VDG8SiNk4jj4xbxV2o58=
slimak.fnhk.cz. 86400 IN A 195.113.123.85
;; Received 842 B
;; Time 2014-03-26 12:15:51 CET
;; From 195.113.123.85#53(UDP) in 5.1 ms
% kdig fnhk.cz SOA @dns2.fnhk.cz. +dnssec
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 26180
;; Flags: qr aa rd; QUERY: 1; ANSWER: 3; AUTHORITY: 5; ADDITIONAL: 5
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1220 B
;; QUESTION SECTION:
;; fnhk.cz. 0 IN SOA
;; ANSWER SECTION:
fnhk.cz. 86400 IN SOA slimak.fnhk.cz.
matous.fnhk.cz. 2014032504 14400 3600 1209600 9000
fnhk.cz. 86400 IN RRSIG SOA 5 2 86400 20140424152009
20140325152009 64431 fnhk.cz.
HxNL+fSb2NfEeLMMTwEjm/FqiFE1WQ7HOdnbKBKhOk0JkiO9pCst9gdIKg2TaCDKcFLwFwKrxgFVuNNHsvYq1lkY9sb7G6CjmGqZ4FmJCjLzbBgRlbZm6VhzIL0ndNl1QkFFBhtaQVkCResCBIBj+E54dLHmQ4LxKZEWBAWUBqc=
fnhk.cz. 86400 IN RRSIG SOA 5 2 86400 20140425080529
20140326080529 64431 fnhk.cz.
c49YFrzdpSiCZ0UE/h2or5LXNOL2SU8ufqQ9g/NxqPxLRD/be0U0A9xxOxIcSXFhXMwp4cNmZe1ZjWKKD83mlXTJyWVSFYCCgYVw4Y8QeH8s7peDed/kpQLNKHKqJLvJzjdjI0YVYApj6/0pkMz59EiucpX5eGpdhDlG8ADNjsg=
;; AUTHORITY SECTION:
fnhk.cz. 86400 IN NS ns.hknet.cz.
fnhk.cz. 86400 IN NS dns2.fnhk.cz.
fnhk.cz. 86400 IN NS slimak.fnhk.cz.
fnhk.cz. 86400 IN RRSIG NS 5 2 86400 20140424152009
20140325152009 64431 fnhk.cz.
WgSnXnteRiomQXqygt2Cyg26M0BpMvPrybUiY/tH3vjkGKF4kTQCptllTGyQSmft5Ju8nL9Ag05n9ctnroZSfkFxiYoIVFT0eIBSrSKEYgiecxeQyIig3dRRNDTQ7UPpTIJseqctLg5UabGsm+R/j+JBZub3P8J3jVw+DhvCOF8=
fnhk.cz. 86400 IN RRSIG NS 5 2 86400 20140425075238
20140326075238 64431 fnhk.cz.
qaQoCR6xpdl3PEEwMpobTFkfDcqMPc85f4XwTBRQ2mht56za18r3X8dMR6iXMhHOzFaq5kXSVHgOXbvivKpYniCyjzitUc2tHvpungbipr4+hahND43GoAQ2u+XuxsK5fCQ0WHrWHfrV9Z0opgAXtEGNwxVv44Ls3UOwNJ32Cpk=
;; ADDITIONAL SECTION:
dns2.fnhk.cz. 86400 IN A 77.48.63.10
dns2.fnhk.cz. 86400 IN RRSIG A 5 3 86400 20140424152009
20140325152009 64431 fnhk.cz.
VFWM+ykl63yRxr+Qb5hIJnqfhnPwnXzbCN2+3IEGP9LX1x5Eu0H/69YFWC8bKwIk2ozN703d6oqr2Q/HcdecGRG0P/rcFNu8B+TVZp7B4DxK94giOYZ7yOKOTRebNNt6rVI/qbytH4WgllJlndltnxL8C6HvuILNKk1lsQjQT0E=
dns2.fnhk.cz. 86400 IN RRSIG A 5 3 86400 20140425075238
20140326075238 64431 fnhk.cz.
Dm5mGHnHHJ8G4+dfePO3NsYJMcDThFYeaYsl50DeH6BXpkc9On1MTSNNGvsYP7pF0vJ2o/h0oGQOLAPNgI1neXXd2gQ/QNMHzQHKr1RmeL0gAPmUlm0eR40G3KlWlQcaMo8P95soQc9hvV+fmYxMsM+VDG8SiNk4jj4xbxV2o58=
;; Received 1176 B
;; Time 2014-03-26 12:16:12 CET
;; From 77.48.63.10#53(UDP) in 17.0 ms
Huh,
maybe I've found an error - I copied to knot unsigned zone (but named
signed it before and propagate it as a .signed zone). But knot signed
the unsigned zone and propagate it as knot's signed zone has a diferent
lifetime - SOA record. See "http://dnsviz.net/d/fnhk.cz/UzKZgg/dnssec/".
As I can see, there are two signs of SOA records. One "older", that was
signed by bind on Monday that is somewhere in the dns cache.
Second, "newer" SOA record is Knot's signing from today.
So I thing that the problem disapears after record's lifetime. Is it
right ?
But how to prevent this "double" record problem ? Or did I've use
Bind's
signed zone for Knot ?
Thanks and best regards
Josef Karliak.
> Hi there,
> I migrated our primary DNS from Bind to Knot. I runned some tests by
>
> nic.cz's dnscheck, but there is an error:
> DNSSEC signature RRSIG(fnhk.cz/IN/SOA/64431) fails to validate the RR set:
> key 1: keytag does not match key 2:RSA Verification failed
>
> Link to test:
>
http://dnscheck.labs.nic.cz/?time=1395821962&id=102810&view=advance…
> standard>
> Knot doesn't complains to anything in the system log, fnhk.cz zone is
>
> succefully signed.
>
> What did I missed ?
> Thanks and best regards
> J.Karliak.
>
20:12
Hello list,
we resolved the problem with Josef privately. If you are interested, where the
problem was, this is a quick summary:
- Josef's zone was signed on a BIND master (using dnssec-signzone).
- The zone got propagated to all slave servers.
- The BIND master was replaced with Knot DNS, the same signing keys were set,
but the existing signatures were removed from the zone. The SOA serial was
not incremented.
- Knot DNS signed the zone, the DNSSEC records were written to the journal.
- The new records were propagated to slaves using IXFR.
As a result, the zone on the slaves was inconsistent with the zone on the
master. The slaves contained "old" DNSSEC records, which the master was not
aware of before the signing.
If the SOA had been incremented before Knot DNS signed the zone, the signed
zone would have been transfered using AXFR and the problem would not have
happened.
Or, if the signatures generated by BIND had not been removed, the Knot DNS
would have preserved the valid signatures and the zone would have been
transfered using IXFR correctly.
I will update the Knot DNS documentation to be more clear about setting the
new zone when migrating from BIND.
Regards,
Jan
Hello,
please, can you check the XFR configuration between your master and slaves
first?
Your master server (slimak.fnhk.cz) and the slaves (dns2.fnhk.cz,
ns.hknet.cz) return SOA with the same serial, but the content of the zone
is obviously different. The response from the slaves contain some
additional signatures.
Jan
% kdig fnhk.cz SOA @slimak.fnhk.cz. +dnssec
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 39851
;; Flags: qr aa rd; QUERY: 1; ANSWER: 2; AUTHORITY: 4; ADDITIONAL: 5
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B
;; QUESTION SECTION:
;; fnhk.cz. 0 IN SOA
;; ANSWER SECTION:
fnhk.cz. 86400 IN SOA slimak.fnhk.cz.
matous.fnhk.cz. 2014032504 14400 3600 1209600 9000
fnhk.cz. 86400 IN RRSIG SOA 5 2 86400 20140425080529
20140326080529 64431 fnhk.cz.
c49YFrzdpSiCZ0UE/h2or5LXNOL2SU8ufqQ9g/NxqPxLRD/be0U0A9xxOxIcSXFhXMwp4cNmZe1Z
jWKKD83mlXTJyWVSFYCCgYVw4Y8QeH8s7peDed/kpQLNKHKqJLvJzjdjI0YVYApj6/0pkMz59Eiu
cpX5eGpdhDlG8ADNjsg=
;; AUTHORITY SECTION:
fnhk.cz. 86400 IN NS ns.hknet.cz.
fnhk.cz. 86400 IN NS dns2.fnhk.cz.
fnhk.cz. 86400 IN NS slimak.fnhk.cz.
fnhk.cz. 86400 IN RRSIG NS 5 2 86400 20140425075238
20140326075238 64431 fnhk.cz.
qaQoCR6xpdl3PEEwMpobTFkfDcqMPc85f4XwTBRQ2mht56za18r3X8dMR6iXMhHOzFaq5kXSVHgO
XbvivKpYniCyjzitUc2tHvpungbipr4+hahND43GoAQ2u+XuxsK5fCQ0WHrWHfrV9Z0opgAXtEGN
wxVv44Ls3UOwNJ32Cpk=
;; ADDITIONAL SECTION:
dns2.fnhk.cz. 86400 IN A 77.48.63.10
dns2.fnhk.cz. 86400 IN RRSIG A 5 3 86400 20140425075238
20140326075238 64431 fnhk.cz.
Dm5mGHnHHJ8G4+dfePO3NsYJMcDThFYeaYsl50DeH6BXpkc9On1MTSNNGvsYP7pF0vJ2o/h0oGQO
LAPNgI1neXXd2gQ/QNMHzQHKr1RmeL0gAPmUlm0eR40G3KlWlQcaMo8P95soQc9hvV+fmYxMsM+V
DG8SiNk4jj4xbxV2o58= slimak.fnhk.cz. 86400 IN A
195.113.123.85
;; Received 842 B
;; Time 2014-03-26 12:15:51 CET
;; From 195.113.123.85#53(UDP) in 5.1 ms
% kdig fnhk.cz SOA @dns2.fnhk.cz. +dnssec
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 26180
;; Flags: qr aa rd; QUERY: 1; ANSWER: 3; AUTHORITY: 5; ADDITIONAL: 5
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1220 B
;; QUESTION SECTION:
;; fnhk.cz. 0 IN SOA
;; ANSWER SECTION:
fnhk.cz. 86400 IN SOA slimak.fnhk.cz.
matous.fnhk.cz. 2014032504 14400 3600 1209600 9000
fnhk.cz. 86400 IN RRSIG SOA 5 2 86400 20140424152009
20140325152009 64431 fnhk.cz.
HxNL+fSb2NfEeLMMTwEjm/FqiFE1WQ7HOdnbKBKhOk0JkiO9pCst9gdIKg2TaCDKcFLwFwKrxgFV
uNNHsvYq1lkY9sb7G6CjmGqZ4FmJCjLzbBgRlbZm6VhzIL0ndNl1QkFFBhtaQVkCResCBIBj+E54
dLHmQ4LxKZEWBAWUBqc= fnhk.cz. 86400 IN RRSIG SOA 5 2
86400 20140425080529 20140326080529 64431 fnhk.cz.
c49YFrzdpSiCZ0UE/h2or5LXNOL2SU8ufqQ9g/NxqPxLRD/be0U0A9xxOxIcSXFhXMwp4cNmZe1Z
jWKKD83mlXTJyWVSFYCCgYVw4Y8QeH8s7peDed/kpQLNKHKqJLvJzjdjI0YVYApj6/0pkMz59Eiu
cpX5eGpdhDlG8ADNjsg=
;; AUTHORITY SECTION:
fnhk.cz. 86400 IN NS ns.hknet.cz.
fnhk.cz. 86400 IN NS dns2.fnhk.cz.
fnhk.cz. 86400 IN NS slimak.fnhk.cz.
fnhk.cz. 86400 IN RRSIG NS 5 2 86400 20140424152009
20140325152009 64431 fnhk.cz.
WgSnXnteRiomQXqygt2Cyg26M0BpMvPrybUiY/tH3vjkGKF4kTQCptllTGyQSmft5Ju8nL9Ag05n
9ctnroZSfkFxiYoIVFT0eIBSrSKEYgiecxeQyIig3dRRNDTQ7UPpTIJseqctLg5UabGsm+R/j+JB
Zub3P8J3jVw+DhvCOF8= fnhk.cz. 86400 IN RRSIG NS 5 2
86400 20140425075238 20140326075238 64431 fnhk.cz.
qaQoCR6xpdl3PEEwMpobTFkfDcqMPc85f4XwTBRQ2mht56za18r3X8dMR6iXMhHOzFaq5kXSVHgO
XbvivKpYniCyjzitUc2tHvpungbipr4+hahND43GoAQ2u+XuxsK5fCQ0WHrWHfrV9Z0opgAXtEGN
wxVv44Ls3UOwNJ32Cpk=
;; ADDITIONAL SECTION:
dns2.fnhk.cz. 86400 IN A 77.48.63.10
dns2.fnhk.cz. 86400 IN RRSIG A 5 3 86400 20140424152009
20140325152009 64431 fnhk.cz.
VFWM+ykl63yRxr+Qb5hIJnqfhnPwnXzbCN2+3IEGP9LX1x5Eu0H/69YFWC8bKwIk2ozN703d6oqr
2Q/HcdecGRG0P/rcFNu8B+TVZp7B4DxK94giOYZ7yOKOTRebNNt6rVI/qbytH4WgllJlndltnxL8
C6HvuILNKk1lsQjQT0E= dns2.fnhk.cz. 86400 IN RRSIG A 5 3
86400 20140425075238 20140326075238 64431 fnhk.cz.
Dm5mGHnHHJ8G4+dfePO3NsYJMcDThFYeaYsl50DeH6BXpkc9On1MTSNNGvsYP7pF0vJ2o/h0oGQO
LAPNgI1neXXd2gQ/QNMHzQHKr1RmeL0gAPmUlm0eR40G3KlWlQcaMo8P95soQc9hvV+fmYxMsM+V
DG8SiNk4jj4xbxV2o58=
;; Received 1176 B
;; Time 2014-03-26 12:16:12 CET
;; From 77.48.63.10#53(UDP) in 17.0 ms
Huh,
maybe I've found an error - I copied to knot unsigned zone (but named
signed it before and propagate it as a .signed zone). But knot signed
the unsigned zone and propagate it as knot's signed zone has a diferent
lifetime - SOA record. See "http://dnsviz.net/d/fnhk.cz/UzKZgg/dnssec/".
As I can see, there are two signs of SOA records. One "older", that was
signed by bind on Monday that is somewhere in the dns cache.
Second, "newer" SOA record is Knot's signing from today.
So I thing that the problem disapears after record's lifetime. Is it
right ?
But how to prevent this "double" record problem ? Or did I've use
Bind's
signed zone for Knot ?
Thanks and best regards
Josef Karliak.
> Hi there,
> I migrated our primary DNS from Bind to Knot. I runned some tests by
>
> nic.cz's dnscheck, but there is an error:
> DNSSEC signature RRSIG(fnhk.cz/IN/SOA/64431) fails to validate the RR
> set:
> key 1: keytag does not match key 2:RSA Verification failed
>
> Link to test:
>
http://dnscheck.labs.nic.cz/?time=1395821962&id=102810&view=advance…
> t=
> standard>
>
> Knot doesn't complains to anything in the system log, fnhk.cz zone is
>
> succefully signed.
>
> What did I missed ?
> Thanks and best regards
> J.Karliak.
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
3897
days inactive
3897
days old
3 comments
2 participants
participants (2)
-
Jan Včelák -
Josef Karliak