[yadifa-users] Is a DNSSEC related bug possible in 2.0.4?

Markus Kolb markus.kolb+yadifa at tower-net.de
Fri Feb 27 11:38:55 CET 2015 

The check of Denic sends the following queries when the check is not 
approved:

2015-02-27 09:21:58.337569 | queries  | I | query [136f] {-------} 
it-newmedia.de. IN SOA (81.91.160.254#30993)
2015-02-27 09:21:58.337701 | queries  | I | query [434e] {-------} 
it-newmedia.de. IN SOA (81.91.160.254#53665)
2015-02-27 09:21:58.353038 | queries  | I | query [64d3] {---T---} 
it-newmedia.de. IN NS (81.91.160.254#25900)
2015-02-27 09:21:58.353138 | queries  | I | query [c6d6] {---T---} 
it-newmedia.de. IN NS (81.91.160.254#7540)
2015-02-27 09:21:58.361102 | queries  | I | query [a36f] {--E-D--} 
it-newmedia.de. IN SOA (81.91.160.254#58913)
2015-02-27 09:21:58.361182 | queries  | I | query [b913] {--E-D--} 
it-newmedia.de. IN DNSKEY (81.91.160.254#9074)
2015-02-27 09:21:58.361244 | queries  | I | query [4531] {--E-D--} 
it-newmedia.de. IN SOA (81.91.160.254#27506)
2015-02-27 09:21:58.361291 | queries  | I | query [ed65] {--E-D--} 
it-newmedia.de. IN DNSKEY (81.91.160.254#39832)
2015-02-27 09:21:58.376208 | queries  | I | query [9df4] {--ETD--} 
it-newmedia.de. IN SOA (81.91.160.254#9897)
2015-02-27 09:22:01.365449 | queries  | I | query [250b] {--E-D--} 
it-newmedia.de. IN DNSKEY (81.91.160.254#22941)
2015-02-27 09:22:01.365610 | queries  | I | query [4b4b] {--E-D--} 
it-newmedia.de. IN DNSKEY (81.91.160.254#30404)

When the check is approved those queries:

2015-02-27 09:22:22.642853 | queries  | I | query [65c9] {-------} 
it-newmedia.de. IN SOA (81.91.160.254#60462)
2015-02-27 09:22:22.642925 | queries  | I | query [589a] {-------} 
it-newmedia.de. IN SOA (81.91.160.254#63259)
2015-02-27 09:22:22.657871 | queries  | I | query [fe57] {---T---} 
it-newmedia.de. IN NS (81.91.160.254#33254)
2015-02-27 09:22:22.657957 | queries  | I | query [63b0] {---T---} 
it-newmedia.de. IN NS (81.91.160.254#10298)
2015-02-27 09:22:22.665857 | queries  | I | query [564b] {--E-D--} 
it-newmedia.de. IN SOA (81.91.160.254#51714)
2015-02-27 09:22:22.666006 | queries  | I | query [37ec] {--E-D--} 
it-newmedia.de. IN DNSKEY (81.91.160.254#42246)
2015-02-27 09:22:22.666113 | queries  | I | query [958c] {--E-D--} 
it-newmedia.de. IN SOA (81.91.160.254#19612)
2015-02-27 09:22:22.666131 | queries  | I | query [ab2d] {--E-D--} 
it-newmedia.de. IN DNSKEY (81.91.160.254#44694)
2015-02-27 09:22:25.669001 | queries  | I | query [3b36] {--E-D--} 
it-newmedia.de. IN SOA (81.91.160.254#61206)
2015-02-27 09:22:25.669078 | queries  | I | query [0246] {--E-D--} 
it-newmedia.de. IN DNSKEY (81.91.160.254#59747)


Does this help you?



Am 2015-02-27 11:13, schrieb Thomas Dupas:
> Hi Markus,
> 
> do so you other queries arriving before the one with —ETD— flag?
> 
> Those flags represent the query flags / options:
> +: recursion desired
> S: query signed
> E: EDNS
> T: TCP
> D: DO bit set (DNSSEC OK)
> C: CD bit set (Checking Disabled)
> 
> Br,
> 
> Thomas
> 
> On 27 Feb 2015, at 10:37, Markus Kolb <markus.kolb+yadifa at tower-net.de> 
> wrote:
> 
>> Hello,
>> 
>> I've problems to get DNSSEC to work with 2.0.4.
>> 
>> It's a domain in the de-zone.
>> The denic has a DNS checker tool at
>> http://www.denic.de/hintergrund/nast.html
>> 
>> If I check my signed domain, sometimes it is approved and sometimes I
>> get an unexpected exception error 999.
>> I do not change anything in the meantime.
>> 
>> I've used the tools of bind for generating keys and signing the zone.
>> 
>> e.g.:
>> dnssec-signzone -v 9 -A -3 b0255d9fc8b8cf81 -o tower-net.de -K
>> /var/lib/yadifad/zones/keys -d /var/lib/yadifad/zones/keys -k
>> Ktower-net.de.+007+62298.key -N increment -t
>> /var/lib/yadifad/zones/masters/tower-net.de.zone
>> Ktower-net.de.+007+62654.key Ktower-net.de.+007+62298.key
>> 
>> For your info: The example domain is not yet delegated to my domain
>> servers. With the denic tool I've specified the domain servers with 
>> the
>> available signed zones.
>> 
>> Btw. the bind tools are the hell of usability. Why you have to specify
>> the KSK 2 times? Isn't it enough to say -k KSK ?! And no warning. Just
>> the fully signed zones are not correctly signed. ;-)
>> 
>> Ok. Back to the remaining problem...
>> 
>> In the query log I see different entries when the zone is approved and
>> when it is denied.
>> 
>> approved:
>> 2015-02-27 09:22:22.666113 | queries  | I | query [958c] {--E-D--}
>> it-newmedia.de. IN SOA (81.91.160.254#19612)
>> 
>> denied:
>> 2015-02-27 09:21:58.376208 | queries  | I | query [9df4] {--ETD--}
>> it-newmedia.de. IN SOA (81.91.160.254#9897)
>> 
>> So there is a T-flag when the denic denies my zone.
>> 
>> What does these flags mean? Couldn't find documentation for them.
>> 
>> br,
>> Markus
>> _______________________________________________
>> yadifa-users mailing list
>> yadifa-users at mailinglists.yadifa.eu
>> http://www.yadifa.eu/mailman/listinfo/yadifa-users
> 
> 
> Disclaimer:
> This email  and  any  attachment  hereto  is  intended  solely  for  
> the  person
> to which  it  is  addressed  and  may  contain  confidential  and/or  
> privileged
> information.  If you are not the intended recipient  or  if  you  have  
> received
> this email in error, please delete it and  immediately  contact  the  
> sender  by
> telephone or email, and destroy any copies  of  this  information.   
> You  should
> not use or copy it, nor disclose  its  content  to  any  other  person  
> or  rely
> upon this information.  Please note that any views presented in  the  
> email  and
> any attachment hereto are solely those of the  author  and  do  not  
> necessarily
> represent those of EURid.  While all care has been  taken  to  avoid  
> any  known
> viruses, the recipient is advised to check this email  and  any  
> attachment  for
> presence of viruses.
> 
> http://www.eurid.eu/en/legal-disclaimer

More information about the yadifa-users mailing list