dns - How to add DNSSEC signed DS records in BIND? -


all (my english not sorry.)

let's begin...

i created own dns server use bind9.

installed: bind bind-utils bind-chroot

my server ip (example ip): 123.456.789.123

everything works fine. (no cpu more 100%) keep got error every day.

named[17203]: error (chase ds servers) resolving 'example.com/ds/in': 123.456.789.123#53

i think it's mean can not found ds records in example.com. try search error , people said have turn dnssec off why? so, try find how fix error , got explaination sites here.

https://www.os3.nl/2011-2012/students/maikel_de_boer/cia/dnssec

https://www.crc.id.au/configuring-dnssec-on-el6-and-bind-9/

i follow instruction sites above , works! me got dnssec signed! , got dnskey , rrsig records.

zone example.com/in/internal: loaded serial 31125225 (dnssec signed)

but got new problem! new problem is.... when use command (sample)

dnssec-signzone -n increment example.com

it create signed files "example.com.signed" , "dsset-example.com."

in file "dsset-example.com." have ds records example.com. when try use ds records inside "dsset-example.com." (look this)

example.com.       in ds 64621 5 1 aff...................ff example.com.       in ds 64621 5 2 333efbc.................5fc5 ag....54s

and insert "example.com.zone" file , when try (resign) dnssec-signzone again got error message this:

dnssec-signzone: fatal: 'example.com': found ds rrset without ns rrset

i don't know how add ds records example.com.zone file out dnssec-signzone error. think if can error message: error (chase ds servers) resolving 'example.com/ds/in' may gone.

do have create subdimain.example.com ds records? dont' know sure. so, if guys know how fix problem, please let me know.

thank much.

my: /etc/named.conf

acl "trusted" {         127.0.0.1;         123.456.789.123; };  options {         listen-on port 53 { any; };         listen-on-v6 port 53 { none; }; # don't have ipv6         directory       "/var/named";         dump-file       "/var/named/data/cache_dump.db";         statistics-file "/var/named/data/named_stats.txt";         memstatistics-file "/var/named/data/named_mem_stats.txt";          auth-nxdomain no;         allow-query { localhost; any; };         recursion no;          dnssec-enable yes;         dnssec-validation yes;         dnssec-lookaside auto;          /* path isc dlv key */         bindkeys-file "/etc/named.iscdlv.key";          managed-keys-directory "/var/named/dynamic";          check-names master ignore; };  logging {         channel default_debug {                 file "data/named.run" size 5m;                 severity dynamic;                 print-time yes;         };          category default { default_debug; }; };  include "/etc/rndc.key";  controls {         inet 127.0.0.1 allow { localhost; }         keys { "rndc-key"; }; };  view "localhost_resolver" {         match-clients { localhost; };         match-destinations { localhost; };         recursion yes;         empty-zones-enable yes;          // views must contain root hints zone         include "/etc/named.root.hints";         include "/etc/named.rfc1912.zones"; };  view "internal" {         match-clients { trusted; };     # match hosts in acl "trusted" above         recursion yes;                  # allow recursive queries         allow-recursion { trusted; };         allow-transfer { trusted; };         notify no;                      # disable aa notifies         empty-zones-enable yes;          // views must contain root hints zone         include "/etc/named.root.hints";         include "/etc/named.domains"; };  view "external" {         match-clients { any; };         recursion no;         allow-transfer { none; };          // views must contain root hints zone         include "/etc/named.root.hints";         include "/etc/named.domains"; };

the file /etc/named.root.hints is:

// views must contain root hints zone zone "." in {         type hint;         file "named.ca"; };

my /etc/named.domains file: (replaced signed file "example.com.signed")

zone "example.com" in {         type master;         file "example.com.signed";         allow-update { none; }; };

my example.com zone file (look this):

$ttl    3h $origin example.com. @  1d                     in soa  ns1.example.com.    hostmaster.example.com. (                                         2011051202      ; serial (d. adams)                                         3h              ; refresh                                         15m             ; retry                                         1w              ; expiry                                         1h )            ; minimum @  3600                   in ns           ns1.example.com. ; domain keys default._domainkey        in txt         ( "v=dkim1; k=rsa; "                                            "p=a0gcsq................g/o+q" ) ; ns example.com.              in ns           ns1.example.com. ; dns records example.com.              in            123.456.789.123 localhost                 in            127.0.0.1 ns1                       in            123.456.789.123 www                       in            123.456.789.123 ; dnssec key kexample.com.+....key example.com. in dnskey 256 3 5 ch....................byd+maryse.................vcb example.com. in dnskey 257 3 5 qx....................typdisfso.................ceers

this 1 should have tag dnssec site need reputation more 1500 create new tag. :(

the answer is, think: can't. aren't supposed to. ds records supposed given domain registrar, , ones supposed publish them. idea ds records establish chain of trust, top-most root domain servers, through registrar, you. without chain of trust, ... knows ... hijacker publishing fake zone happens dnssec-signed (and looks "legit").


Comments

Post a Comment

Popular posts from this blog

c# - Send Image in Json : 400 Bad request -

from android trying send image class of data, iis webservice. (c#) the problem 400 bad request . the image being encoded base64 . , placed json rest of class elements. my guess base64 not valid inside json. server not understand it. if set string "" , post accepted fine. so question is, how make base64 valid within json array? ( tried url.encode no success). or how should send image android webservice? gson gson = new gson(); string json = gson.tojson(record); // record has param { string base64photo } how big image? i'm pretty sure surpassing iis json size limit (default 4 mb). check http://geekswithblogs.net/frankw/archive/2008/08/05/how-to-configure-maxjsonlength-in-asp.net-ajax-applications.aspx or http://www.webtrenches.com/post.cfm/iis7-file-upload-size-limits good luck!
Read more

javascript - addthis share facebook and google+ url -

i attempting use addthis create simple url shares whichever current page user on when click share button. of right now, have twitter working. when user clicks, able see url populated in tweet box. when user clicks facebook or google+, url doesn't seem show in share box. <ul class="addthis_toolbox addthis_default_style "> <li><a class="addthis_button_facebook"><img src="/img/facebook-social.png" width="20" height="20" border="0" alt="share" /></a></li> <li><a class="addthis_button_twitter"><img src="/img/twitter-social.png" width="20" height="20" border="0" alt="share" /></a></li> <li><a class="addthis_button_google_plusone_share"><img src="/img/google-social.png" width="20" height="20" border="0" alt="s...
Read more

ios - Show keyboard with UITextField in the input accessory view -

i have buttona , when buttona clicked, want keyboard show uitextfield in inputaccessoryview. there way have keyboard show manually , set inputaccessoryview without having uitextfield initially? thanks. you cannot summon keyboard without object can become first responder. there 2 ways work around: subclass uiview , implement uikeyinput protocol in it. example: in .h file: @interface inputobject : uiview<uikeyinput> @property (nonatomic, copy) nsstring *text; @property (nonatomic, strong) uiview *inputaccessoryview; // must override inputaccessoryview , since it's readonly default @end in .m file, implement protocol: - (bool)canbecomefirstresponder { return yes; } - (bool)hastext { return [self.text length]; } - (void)inserttext:(nsstring *)text { nsstring *selftext = self.text ? self.text : @""; self.text = [selftext stringbyappendingstring:text]; [[nsnotificationcenter defaultcenter] postnotificationname:kinputobjec...
Read more