Re: [knot-dns-users] Some issues with dnssec signed domain.

26 Bře 2014

Hello,

please, can you check the XFR configuration between your master and slaves 
first?

Your master server (slimak.fnhk.cz) and the slaves (dns2.fnhk.cz, ns.hknet.cz) 
return SOA with the same serial, but the content of the zone is obviously 
different. The response from the slaves contain some additional signatures.

Jan

% kdig fnhk.cz SOA @slimak.fnhk.cz. +dnssec
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 39851
;; Flags: qr aa rd; QUERY: 1; ANSWER: 2; AUTHORITY: 4; ADDITIONAL: 5

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B

;; QUESTION SECTION:
;; fnhk.cz.             0       IN      SOA

;; ANSWER SECTION:
fnhk.cz.                86400   IN      SOA     slimak.fnhk.cz. 
matous.fnhk.cz. 2014032504 14400 3600 1209600 9000
fnhk.cz.                86400   IN      RRSIG   SOA 5 2 86400 20140425080529 
20140326080529 64431 fnhk.cz. 
c49YFrzdpSiCZ0UE/h2or5LXNOL2SU8ufqQ9g/NxqPxLRD/be0U0A9xxOxIcSXFhXMwp4cNmZe1ZjWKKD83mlXTJyWVSFYCCgYVw4Y8QeH8s7peDed/kpQLNKHKqJLvJzjdjI0YVYApj6/0pkMz59EiucpX5eGpdhDlG8ADNjsg=

;; AUTHORITY SECTION:
fnhk.cz.                86400   IN      NS      ns.hknet.cz.
fnhk.cz.                86400   IN      NS      dns2.fnhk.cz.
fnhk.cz.                86400   IN      NS      slimak.fnhk.cz.
fnhk.cz.                86400   IN      RRSIG   NS 5 2 86400 20140425075238 
20140326075238 64431 fnhk.cz. 
qaQoCR6xpdl3PEEwMpobTFkfDcqMPc85f4XwTBRQ2mht56za18r3X8dMR6iXMhHOzFaq5kXSVHgOXbvivKpYniCyjzitUc2tHvpungbipr4+hahND43GoAQ2u+XuxsK5fCQ0WHrWHfrV9Z0opgAXtEGNwxVv44Ls3UOwNJ32Cpk=

;; ADDITIONAL SECTION:
dns2.fnhk.cz.           86400   IN      A       77.48.63.10
dns2.fnhk.cz.           86400   IN      RRSIG   A 5 3 86400 20140425075238 
20140326075238 64431 fnhk.cz. 
Dm5mGHnHHJ8G4+dfePO3NsYJMcDThFYeaYsl50DeH6BXpkc9On1MTSNNGvsYP7pF0vJ2o/h0oGQOLAPNgI1neXXd2gQ/QNMHzQHKr1RmeL0gAPmUlm0eR40G3KlWlQcaMo8P95soQc9hvV+fmYxMsM+VDG8SiNk4jj4xbxV2o58=
slimak.fnhk.cz.         86400   IN      A       195.113.123.85

;; Received 842 B
;; Time 2014-03-26 12:15:51 CET
;; From 195.113.123.85#53(UDP) in 5.1 ms

% kdig fnhk.cz SOA @dns2.fnhk.cz. +dnssec
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 26180
;; Flags: qr aa rd; QUERY: 1; ANSWER: 3; AUTHORITY: 5; ADDITIONAL: 5

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1220 B

;; QUESTION SECTION:
;; fnhk.cz.             0       IN      SOA

;; ANSWER SECTION:
fnhk.cz.                86400   IN      SOA     slimak.fnhk.cz. 
matous.fnhk.cz. 2014032504 14400 3600 1209600 9000
fnhk.cz.                86400   IN      RRSIG   SOA 5 2 86400 20140424152009 
20140325152009 64431 fnhk.cz. 
HxNL+fSb2NfEeLMMTwEjm/FqiFE1WQ7HOdnbKBKhOk0JkiO9pCst9gdIKg2TaCDKcFLwFwKrxgFVuNNHsvYq1lkY9sb7G6CjmGqZ4FmJCjLzbBgRlbZm6VhzIL0ndNl1QkFFBhtaQVkCResCBIBj+E54dLHmQ4LxKZEWBAWUBqc=
fnhk.cz.                86400   IN      RRSIG   SOA 5 2 86400 20140425080529 
20140326080529 64431 fnhk.cz. 
c49YFrzdpSiCZ0UE/h2or5LXNOL2SU8ufqQ9g/NxqPxLRD/be0U0A9xxOxIcSXFhXMwp4cNmZe1ZjWKKD83mlXTJyWVSFYCCgYVw4Y8QeH8s7peDed/kpQLNKHKqJLvJzjdjI0YVYApj6/0pkMz59EiucpX5eGpdhDlG8ADNjsg=

;; AUTHORITY SECTION:
fnhk.cz.                86400   IN      NS      ns.hknet.cz.
fnhk.cz.                86400   IN      NS      dns2.fnhk.cz.
fnhk.cz.                86400   IN      NS      slimak.fnhk.cz.
fnhk.cz.                86400   IN      RRSIG   NS 5 2 86400 20140424152009 
20140325152009 64431 fnhk.cz. 
WgSnXnteRiomQXqygt2Cyg26M0BpMvPrybUiY/tH3vjkGKF4kTQCptllTGyQSmft5Ju8nL9Ag05n9ctnroZSfkFxiYoIVFT0eIBSrSKEYgiecxeQyIig3dRRNDTQ7UPpTIJseqctLg5UabGsm+R/j+JBZub3P8J3jVw+DhvCOF8=
fnhk.cz.                86400   IN      RRSIG   NS 5 2 86400 20140425075238 
20140326075238 64431 fnhk.cz. 
qaQoCR6xpdl3PEEwMpobTFkfDcqMPc85f4XwTBRQ2mht56za18r3X8dMR6iXMhHOzFaq5kXSVHgOXbvivKpYniCyjzitUc2tHvpungbipr4+hahND43GoAQ2u+XuxsK5fCQ0WHrWHfrV9Z0opgAXtEGNwxVv44Ls3UOwNJ32Cpk=

;; ADDITIONAL SECTION:
dns2.fnhk.cz.           86400   IN      A       77.48.63.10
dns2.fnhk.cz.           86400   IN      RRSIG   A 5 3 86400 20140424152009 
20140325152009 64431 fnhk.cz. 
VFWM+ykl63yRxr+Qb5hIJnqfhnPwnXzbCN2+3IEGP9LX1x5Eu0H/69YFWC8bKwIk2ozN703d6oqr2Q/HcdecGRG0P/rcFNu8B+TVZp7B4DxK94giOYZ7yOKOTRebNNt6rVI/qbytH4WgllJlndltnxL8C6HvuILNKk1lsQjQT0E=
dns2.fnhk.cz.           86400   IN      RRSIG   A 5 3 86400 20140425075238 
20140326075238 64431 fnhk.cz. 
Dm5mGHnHHJ8G4+dfePO3NsYJMcDThFYeaYsl50DeH6BXpkc9On1MTSNNGvsYP7pF0vJ2o/h0oGQOLAPNgI1neXXd2gQ/QNMHzQHKr1RmeL0gAPmUlm0eR40G3KlWlQcaMo8P95soQc9hvV+fmYxMsM+VDG8SiNk4jj4xbxV2o58=

;; Received 1176 B
;; Time 2014-03-26 12:16:12 CET
;; From 77.48.63.10#53(UDP) in 17.0 ms

...
    Huh,
   maybe I've found an error - I copied to knot unsigned zone (but named
 signed it before and propagate it as a .signed zone). But knot signed
 the unsigned zone and propagate it as knot's signed zone has a diferent
 lifetime - SOA record. See "http://dnsviz.net/d/fnhk.cz/UzKZgg/dnssec/".
   As I can see, there are two signs of SOA records. One "older", that was
 signed by bind on Monday that is somewhere in the dns cache.
   Second, "newer" SOA record is Knot's signing from today.
   So I thing that the problem disapears after record's lifetime. Is it
 right ?
   But how to prevent this "double" record problem ? Or did I've use
Bind's
 signed zone for Knot ?
   Thanks and best regards
   Josef Karliak.

 >   Hi there,
 >   I migrated our primary DNS from Bind to Knot. I runned some tests by
 > 
 > nic.cz's dnscheck, but there is an error:
 > DNSSEC signature RRSIG(fnhk.cz/IN/SOA/64431) fails to validate the RR set:
 > key 1: keytag does not match key 2:RSA Verification failed
 > 
 > Link to test:
 >
http://dnscheck.labs.nic.cz/?time=1395821962&id=102810&view=advance…
 > standard> 
 >   Knot doesn't complains to anything in the system log, fnhk.cz zone is
 > 
 > succefully signed.
 > 
 >   What did I missed ?
 >   Thanks and best regards
 >   J.Karliak.
 >  

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Re: [knot-dns-users] Some issues with dnssec signed domain.