[yadifa-users] Is a DNSSEC related bug possible in 2.0.4?
Markus Kolb
markus.kolb+yadifa at tower-net.de
Fri Feb 27 10:37:25 CET 2015
Hello,
I've problems to get DNSSEC to work with 2.0.4.
It's a domain in the de-zone.
The denic has a DNS checker tool at
http://www.denic.de/hintergrund/nast.html
If I check my signed domain, sometimes it is approved and sometimes I
get an unexpected exception error 999.
I do not change anything in the meantime.
I've used the tools of bind for generating keys and signing the zone.
e.g.:
dnssec-signzone -v 9 -A -3 b0255d9fc8b8cf81 -o tower-net.de -K
/var/lib/yadifad/zones/keys -d /var/lib/yadifad/zones/keys -k
Ktower-net.de.+007+62298.key -N increment -t
/var/lib/yadifad/zones/masters/tower-net.de.zone
Ktower-net.de.+007+62654.key Ktower-net.de.+007+62298.key
For your info: The example domain is not yet delegated to my domain
servers. With the denic tool I've specified the domain servers with the
available signed zones.
Btw. the bind tools are the hell of usability. Why you have to specify
the KSK 2 times? Isn't it enough to say -k KSK ?! And no warning. Just
the fully signed zones are not correctly signed. ;-)
Ok. Back to the remaining problem...
In the query log I see different entries when the zone is approved and
when it is denied.
approved:
2015-02-27 09:22:22.666113 | queries | I | query [958c] {--E-D--}
it-newmedia.de. IN SOA (81.91.160.254#19612)
denied:
2015-02-27 09:21:58.376208 | queries | I | query [9df4] {--ETD--}
it-newmedia.de. IN SOA (81.91.160.254#9897)
So there is a T-flag when the denic denies my zone.
What does these flags mean? Couldn't find documentation for them.
br,
Markus
More information about the yadifa-users
mailing list