[Pdns-users] dnssec problems
bert.hubert at netherlabs.nl
Tue Oct 27 22:38:51 UTC 2015
Quick response from phone, try removing the GOST signature from parent zone, it might be confusing things. No one uses that normally.
On Oct 27, 2015 23:18, Curtis Maurand <curtis at maurand.com> wrote:
> I set up pdnssec for a rather critical zone xyonet.com. I then published the ds records to opensrs using
> pdnssec show-zone xyonet.com which got me:
> DS = xyonet.com IN DS 31879 8 1 b0a50a1f2ec6d0a2e11c1a5152c674fc10a7366a ; ( SHA1 digest )
> DS = xyonet.com IN DS 31879 8 2 cdc8a0e46d79fd2b391dcce9b5740ec5d1021d4eccc1038dbe97ef83b8703986 ; ( SHA256 digest )
> DS = xyonet.com IN DS 31879 8 3 9621349b03aeda5ab8ffb9e71bf18a2d55491c1da41721447046f77394502d2a ; ( GOST R 34.11-94 digest )
> DS = xyonet.com IN DS 31879 8 4 fd0a82a3a1cc67e0ca0b02a5d0ca661191c047788257a90477ffe75aeb5a0cc7d3768fed9997621a8d97d2951c8477e3 ; ( SHA-384 digest )
> I published all 4 of the keys. Verisign comes back and give me the error:
> "The DNSKEY RRset was not signed by any keys in the chain-of-trust"
> Have I done something wrong, here? suddenly today google's public dns servers are not resolving anything on xyonet.com. level 3 is and some others are not. The only change I made was publishing the dnssec records.
> Curtis Maurand
> curtis at maurand.com
More information about the Pdns-users