[Opendnssec-user] Publish keys with domanhanteraren
Mattias Andersson
mattias at nonetwork.se
Wed Aug 12 10:15:07 UTC 2009
Hi,
I have signed my zone (nonetwork.se) using kasp.xml deny policy like
<Denial>
<NSEC/>
</Denial>
This gives me a signed zone looking like (parts of zone)
--
; Signed on 2009-08-12 11:55:59
nonetwork.se. 3600 IN SOA ns01.nonetwork.se.
hostmaster.nonetwork.se. 2009081208 86400 3600 1200000 3600
nonetwork.se. 3600 IN RRSIG SOA 7 2 3600 20090819104856
20090812095059 38699 nonetwork.se. Q21hOI5MshvSDXwdCZbGpWCq2
eOnMAZ/xNHMyk+X1n5HWIcJWBB32z5/jxs4CbUJznAvc/kLAXfZ9Q4h5o8RdNJLIEltUnJLkUsGCM6AxKkVBGxHmRWp8mZdf5DIEqCJqHPU8v4uH8KSyPRB+eVE6Krib
EtEgV6EV+ai80PnaCY=
nonetwork.se. 3600 IN DNSKEY 256 3 7
AwEAAa2z04CVRDWX6BmKpm3n9gwmpwUkSmqD14HWLQk2z6v/YPEOFU8/8/of0VdGnb370QcYnpvgPDDi
dxCci5XXLO+3uomFS18074VeNZdYyvwbmt3l2qCGzN0zF2li6yp+E3MqBCtahgGFLtcK4+U/+IUaPXQ02wCr0TKzOcueqM1H
nonetwork.se. 3600 IN DNSKEY 256 3 7
AwEAAbQY8u7L9vcyrtfxh6Oz59A8IR3Az+wDAGCRMLKWbn257TMRSU4XrL/SoMc55S9uuY8g36iav3YS
o16chdVQISuMwBoqTgtLnLQPTKpnwgAGZSOPMryOiYmfvsAA4XKd64AmNzhGmqS9pv0C1JxMno5BW6ZvTRIzMy8+fifQf0Ct
nonetwork.se. 3600 IN DNSKEY 256 3 7
AwEAAdasxtSsoc93jx57z4DMK6IJnHakhX1oQ0dZBUhqenCIKUrRlOJanLoyAKJg93Iz0IR09c4uiXAS
emwCZB4Z+W3WoaoanWxBG2zNqZfiXxa9E5WIu2Gp8LKj+eTyWjZaxu1MDZoKuTe86Jo50SqR/5MVNYIRDIQDpJf6tr8JC943
nonetwork.se. 3600 IN DNSKEY 257 3 7
AwEAAcZY4zK/C95QUPHr/xeiMrwo4estnDg5nbYr0wPOv0U8KvR/TyE+RtVzQeqWXGHuM0BAKLLkA9EZ
LiNn2wSachJ8/u0DwLwzZOqbAnLjXBPc5rpajrcWlRsHVzoYtS2V7RR8LvoXFpAuTd/xTThkc8wBAJQ/M27xW/tm8q4TFmH5cF58IBcirNDpeAgAX7oylTKWkxU8pAa5
KjHhYGdi106Rl4AzgjslQkYcgCLeJcIxFuCWEWs89jv9ae8UPGRBkWYu8O0wo1IUxkdScerRacTqzu5bP1oTI5orNY8KFUZLZVUKMr99XnweC1BdKwUtLuYuXMGqogzx
WJSgUa7cG3s=
nonetwork.se. 3600 IN DNSKEY 257 3 7
AwEAAdKUC3nqz0IYiCiZCNTJqjW13xvSztgC3Wcqh7RPgRIqFE36dzRwmQxIjOHNfOhQ0JU8DqHAD6dt
fYYCVq3Cq7t7GjnIZiwwa4r9cIVkyVF3/YsZxmugDXJt2IdPjG1baM6UmLZ8dXYkaAkSFWNSXG6jhQaR7WJGwF1Xx2x1LUCsZc5RRHQ4QmY0kHcjHnz9MgCH4eQ3kmVI
S1FXqn3aV63rwVnVljuSCteWeAbQrWyHvk+s48gI9v/c2ku8s/UdQ21tkegFAIRi65sjRRQF9/DFDVjhUh6Rgae50cJN1650/XKLCn7L23hB6+p/8MD8XhdXBtgDibzr
Vjr2uZdZ/J8=
nonetwork.se. 3600 IN RRSIG DNSKEY 7 2 3600 20090819135454
20090812095059 22164 nonetwork.se. Qk8PaoqgoF7hTWafb0BgOm
VCHCb0eb2i++y99KSxBK4zvZw7VZvwIYKwx0biQRTVWF07q8C8HZmsgXsukjasQAiRp3fbBOMWJk1fyoNQ0hXeJCjE3eC3xQekBdrr8h+Gx/KtJp1UmeRfjAzN/dj/Ww
y1WFJieb81E4+20N8UlEcnCaqVN0YGdpQqw7Iqqn9y/F676LfMbdVNCS9RPCwzMYT7VnJDlhZqUsCOFGQyZnKPeCKt5XIqicIBlB2x6NzfqebskqPr8QzG0ww1KaUS7pCoCW21G9s
u71kOdEFzp2n9evGBYlDBlSNQVvg722YM5hz26QX5hm+Ol6BPK3nqJA==
---
When I in domanhanteraren choose to "Fetch keys from name servers" it states
---
Nycklar från namnservrar
Status Nyckeltag Algoritm Fingerprint (SHA-1)
Nyckeltyp
Ej publicerbar 14538 RSASHA1-NSEC3-SHA1 KSK
* Zonnyckelflaggan är definierad.
* Den säkra startflaggan (SEP) är definierad.
* Protokollet är version 3.
* Algoritmen är korrekt.
* Nyckeln signerar inte zonen.
* Algoritmen anses säker.
* Känd algoritm.
* Bit 0-6 och 8-14 är satt till 0.
Ej publicerbar 22164 RSASHA1-NSEC3-SHA1 KSK
* Zonnyckelflaggan är definierad.
* Den säkra startflaggan (SEP) är definierad.
* Protokollet är version 3.
* Algoritmen är korrekt.
* Nyckeln signerar inte zonen.
* Algoritmen anses säker.
* Känd algoritm.
* Bit 0-6 och 8-14 är satt till 0.
---
And dnscheck gives:
http://dnscheck.iis.se/?time=1250071868&id=233758&view=advanced&test=standard
I'm not sure how to interpret this but it seames to me the zone is still
signed with nsec3 which is not supported?
It this right or is there something else that is wrong?
Please advise and how do I see this for sure, could some one educate me?
Thanks alot.
/Mattias
More information about the Opendnssec-user
mailing list