[yadifa-users] Is a DNSSEC related bug possible in 2.0.4?

Thomas Dupas Thomas.Dupas at eurid.eu
Fri Feb 27 11:13:00 CET 2015


Hi Markus,

do so you other queries arriving before the one with —ETD— flag?

Those flags represent the query flags / options:
+: recursion desired
S: query signed
E: EDNS
T: TCP
D: DO bit set (DNSSEC OK)
C: CD bit set (Checking Disabled)

Br,

Thomas

On 27 Feb 2015, at 10:37, Markus Kolb <markus.kolb+yadifa at tower-net.de> wrote:

> Hello,
> 
> I've problems to get DNSSEC to work with 2.0.4.
> 
> It's a domain in the de-zone.
> The denic has a DNS checker tool at
> http://www.denic.de/hintergrund/nast.html
> 
> If I check my signed domain, sometimes it is approved and sometimes I 
> get an unexpected exception error 999.
> I do not change anything in the meantime.
> 
> I've used the tools of bind for generating keys and signing the zone.
> 
> e.g.:
> dnssec-signzone -v 9 -A -3 b0255d9fc8b8cf81 -o tower-net.de -K 
> /var/lib/yadifad/zones/keys -d /var/lib/yadifad/zones/keys -k 
> Ktower-net.de.+007+62298.key -N increment -t 
> /var/lib/yadifad/zones/masters/tower-net.de.zone 
> Ktower-net.de.+007+62654.key Ktower-net.de.+007+62298.key
> 
> For your info: The example domain is not yet delegated to my domain 
> servers. With the denic tool I've specified the domain servers with the 
> available signed zones.
> 
> Btw. the bind tools are the hell of usability. Why you have to specify 
> the KSK 2 times? Isn't it enough to say -k KSK ?! And no warning. Just 
> the fully signed zones are not correctly signed. ;-)
> 
> Ok. Back to the remaining problem...
> 
> In the query log I see different entries when the zone is approved and 
> when it is denied.
> 
> approved:
> 2015-02-27 09:22:22.666113 | queries  | I | query [958c] {--E-D--} 
> it-newmedia.de. IN SOA (81.91.160.254#19612)
> 
> denied:
> 2015-02-27 09:21:58.376208 | queries  | I | query [9df4] {--ETD--} 
> it-newmedia.de. IN SOA (81.91.160.254#9897)
> 
> So there is a T-flag when the denic denies my zone.
> 
> What does these flags mean? Couldn't find documentation for them.
> 
> br,
> Markus
> _______________________________________________
> yadifa-users mailing list
> yadifa-users at mailinglists.yadifa.eu
> http://www.yadifa.eu/mailman/listinfo/yadifa-users



More information about the yadifa-users mailing list