[Pdns-users] DNSSEC trouble

Leen Besselink leen at consolejunkie.net
Wed May 20 10:26:50 UTC 2015 

On Wed, May 20, 2015 at 12:16:02PM +0200, Peter Thomassen wrote:
> Dear experts,
> 
> I'm sorry to bug you again, but I am still stuck with deploying DNSSEC
> for desec.io, and I'd like to ask for your help once more.
> 
> I have a hidden primary which does the signing in live mode (MySQL
> backend), and two public nameservers ns1.desec.io and ns2.desec.io which
> receive the zones via AXFR (bind backend). All are using PowerDNS 3.3
> from Ubuntu 14.04.
> 
> After communicating my DS records to the .io registry, the DNSSEC
> debugger http://dnssec-debugger.verisignlabs.com/desec.io tells me the
> everything is fine, except that desec.io does not have RRSIG records,
> and my resolver says SERVAIL.
> 
> Screenshot: https://www.a4a.de/_temp/DNSSEC.png
> (I removed the DS records again from the .io zone.)
> 
> However,
> dig RRSIG desec.io @ns1.desec.io
> dig RRSIG desec.io @ns2.desec.io
> 
> gives the RRSIG records. Why does the debugger not find them?
> 

Hi,

Wouldn't consider myself an expert, but RRSIG isn't normally something you query for,
these are the signatures which get added with DNSSEC-signed response.

Judging by the image it looks like DNSSEC debugger does 3 queries:

dig @ns1.desec.io +dnssec +norec desec.io DS # that worked and did include the RRSIG records

# these failed:
dig @ns1.desec.io +dnssec +norec desec.io DNSKEY
dig @ns1.desec.io +dnssec +norec desec.io A

Here is a working example with an RRSIG for the DNSKEY query:

$ dig +dnssec +norec @194.171.17.10 nl. DNSKEY

; <<>> DiG 9.8.1-P1 <<>> +dnssec +norec @194.171.17.10 nl. DNSKEY
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9281
;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;nl.                            IN      DNSKEY

;; ANSWER SECTION:
nl.                     7200    IN      DNSKEY  256 3 8 AwEAActQKGjyxDvKZrmtecDqXu5i7hDRnkBH71kukkBWMqi7GlRVnwng tXGLg41p8cBP+HsLLDxr125ukadG0peYLfjx5gBj0CE6VMguwqRtn7MP MIym5outGSRm2uTcO7mxp1ZykusE1GnavVFDUhgoipGaXQ/q0w3Lpyij NE9GZmyH
nl.                     7200    IN      DNSKEY  257 3 8 AwEAAbgqMqYHpmZrqQd3zFNOzYv2lw8bWBnrtK9TjlwK/ZBYMwKGR6TN bmMuwdjebpIE2vFxTHGLQfb2PmUJpazAGkG0fUaqrjuIU99Qbe5hwLYX qyGe2Mm+ZNRsomBxhluR/ky/XX4V1TjTqeXYH4gkzEs7I6og5IE0tKyh hpU38XHtuFVj7uunIAWGn5g9tZ0ZNnv8CkwLE5hLmRf+AoNTd483ZBX4 FUT32KbF6XV3ikctXbsMe2GqGlIf0gMqJQbNvYf1NuNMbxauh9YavEQ0 yaavI1hz5eLMJRruq4wDTyRnMJHupxY69oZZ9IbIsEf0FurtaA7fXrAx qcfEfARr4b0=
nl.                     7200    IN      RRSIG   DNSKEY 8 1 7200 20150526002957 20150511201503 21362 nl. lXOt9uoPC+0NdnY2GiPVvCSwK2XeJVfMu1r8d84k47Au2sYc3rExtCGQ JT7Smx6heHQ8kWPPLJ58FTd0oht5yG/0E6Voe2qNh5xKp8htoseTEysv hejOXEevpWkxfkc3JFu7qHzYqNYAEIwKNXIWMhxmVarhwACKkKIelZXy 6o/hD2JspOHCzZO6uK5X1pRQyBFnRt2PgZ6oMWCi4h7/mMNQRAAqcR1V hFmBnYEPQuk3Twiq6geHdP3aq0FxvHnUqHXczVPz2BAf6bV4sl2XRjxP EEtmSRRAkkT8YTNOlKytU8V5bnjAMqeh3nkIHvugdJzDwrkODhrIsLKo 3ywe/A==

;; Query time: 7 msec
;; SERVER: 194.171.17.10#53(194.171.17.10)
;; WHEN: Wed May 20 12:25:14 2015
;; MSG SIZE  rcvd: 745

Hope that helps.

> Thanks a lot for your help,
> Peter
> -- 
> OpenPGP Key: 0x3EF22D2F
>

More information about the Pdns-users mailing list