[nSLUG] DNSSEC configuration

George N. White III gnwiii at gmail.com
Tue Dec 16 14:53:25 AST 2014


On Tue, Dec 16, 2014 at 12:48 PM, D G Teed <donald.teed at gmail.com> wrote:

>
> I'm looking into DNSSEC now that CIRA supports it.  I thought I had
> the client look-ups supporting this, but now I see the dig results don't
> jive with that.  Tried the usual set up at home on Debian like so:
>

[...]

==============================

>
> And this test goes through without failing:
>
> =========================================================
> dig badsign-a.test.dnssec-tools.org +dnssec
>
> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> badsign-a.test.dnssec-tools.org
> +dnssec
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32924
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;badsign-a.test.dnssec-tools.org. IN    A
>
> ;; ANSWER SECTION:
> badsign-a.test.dnssec-tools.org. 86379 IN A     69.163.146.191
> badsign-a.test.dnssec-tools.org. 86379 IN RRSIG A 5 4 86400
> 20150109054254 20141210044254 19442 test.dnssec-tools.org.
> B1MGrhDRytcRAMy0lJpVBYiqunBIJsOV502S2m3QVp2ukZTEWJcNgeC8
> dbyL8MhiZrEjsa7ndloRQJWZa6xJ9hEA1NFm68tTfw2SYfuHJH65HbHf
> LQJLtukkBY33YePiJ5w2trmgfbEpfuAvxahRladYmu4MqRwKVFlk9MDF rJ4=
>
> ;; Query time: 0 msec
> ;; SERVER: 192.168.0.3#53(192.168.0.3)
> ;; WHEN: Tue Dec 16 11:40:51 2014
> ;; MSG SIZE  rcvd: 257
>
> =========================================================
>
> This second test is supposed to fail according to dnssec-tools.org
> troubleshooting guide.
>

The "dig" manual just says that "+dnssec" requests that DNSSEC records be
sent --
maybe you need to enable signature chain chasing (compile with
-DDIG_SIGCHASE).


Is the documentation I'm finding out of date or have I missed a piece?
It has the scent of something very simple being missed.

  dnssec-tools.or <http://dnssec-tools.org>g says my DNS is insecure and
the tutorials link gives

(Can't contact the database server: Unknown MySQL server host '
sidekick.rdi.tislabs.com' (2) (sidekick.rdi.tislabs.com)).

[...]
-- 
George N. White III <aa056 at chebucto.ns.ca>
Head of St. Margarets Bay, Nova Scotia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/pipermail/nslug/attachments/20141216/3ca6afdd/attachment.html>


More information about the nSLUG mailing list