[Opendnssec-user] Publish keys with domanhanteraren

Mattias Andersson mattias at nonetwork.se
Wed Aug 12 10:15:07 UTC 2009


Hi,

I have signed my zone (nonetwork.se) using kasp.xml deny policy like
 <Denial>
                        <NSEC/>
</Denial>

This gives me a signed zone looking like (parts of zone)

--
; Signed on 2009-08-12 11:55:59
nonetwork.se.   3600    IN      SOA     ns01.nonetwork.se. 
hostmaster.nonetwork.se. 2009081208 86400 3600 1200000 3600

nonetwork.se.   3600    IN      RRSIG   SOA 7 2 3600 20090819104856 
20090812095059 38699 nonetwork.se. Q21hOI5MshvSDXwdCZbGpWCq2
eOnMAZ/xNHMyk+X1n5HWIcJWBB32z5/jxs4CbUJznAvc/kLAXfZ9Q4h5o8RdNJLIEltUnJLkUsGCM6AxKkVBGxHmRWp8mZdf5DIEqCJqHPU8v4uH8KSyPRB+eVE6Krib
EtEgV6EV+ai80PnaCY=

nonetwork.se.   3600    IN      DNSKEY  256 3 7 
AwEAAa2z04CVRDWX6BmKpm3n9gwmpwUkSmqD14HWLQk2z6v/YPEOFU8/8/of0VdGnb370QcYnpvgPDDi
dxCci5XXLO+3uomFS18074VeNZdYyvwbmt3l2qCGzN0zF2li6yp+E3MqBCtahgGFLtcK4+U/+IUaPXQ02wCr0TKzOcueqM1H

nonetwork.se.   3600    IN      DNSKEY  256 3 7 
AwEAAbQY8u7L9vcyrtfxh6Oz59A8IR3Az+wDAGCRMLKWbn257TMRSU4XrL/SoMc55S9uuY8g36iav3YS
o16chdVQISuMwBoqTgtLnLQPTKpnwgAGZSOPMryOiYmfvsAA4XKd64AmNzhGmqS9pv0C1JxMno5BW6ZvTRIzMy8+fifQf0Ct

nonetwork.se.   3600    IN      DNSKEY  256 3 7 
AwEAAdasxtSsoc93jx57z4DMK6IJnHakhX1oQ0dZBUhqenCIKUrRlOJanLoyAKJg93Iz0IR09c4uiXAS
emwCZB4Z+W3WoaoanWxBG2zNqZfiXxa9E5WIu2Gp8LKj+eTyWjZaxu1MDZoKuTe86Jo50SqR/5MVNYIRDIQDpJf6tr8JC943

nonetwork.se.   3600    IN      DNSKEY  257 3 7 
AwEAAcZY4zK/C95QUPHr/xeiMrwo4estnDg5nbYr0wPOv0U8KvR/TyE+RtVzQeqWXGHuM0BAKLLkA9EZ
LiNn2wSachJ8/u0DwLwzZOqbAnLjXBPc5rpajrcWlRsHVzoYtS2V7RR8LvoXFpAuTd/xTThkc8wBAJQ/M27xW/tm8q4TFmH5cF58IBcirNDpeAgAX7oylTKWkxU8pAa5
KjHhYGdi106Rl4AzgjslQkYcgCLeJcIxFuCWEWs89jv9ae8UPGRBkWYu8O0wo1IUxkdScerRacTqzu5bP1oTI5orNY8KFUZLZVUKMr99XnweC1BdKwUtLuYuXMGqogzx
WJSgUa7cG3s=

nonetwork.se.   3600    IN      DNSKEY  257 3 7 
AwEAAdKUC3nqz0IYiCiZCNTJqjW13xvSztgC3Wcqh7RPgRIqFE36dzRwmQxIjOHNfOhQ0JU8DqHAD6dt
fYYCVq3Cq7t7GjnIZiwwa4r9cIVkyVF3/YsZxmugDXJt2IdPjG1baM6UmLZ8dXYkaAkSFWNSXG6jhQaR7WJGwF1Xx2x1LUCsZc5RRHQ4QmY0kHcjHnz9MgCH4eQ3kmVI
S1FXqn3aV63rwVnVljuSCteWeAbQrWyHvk+s48gI9v/c2ku8s/UdQ21tkegFAIRi65sjRRQF9/DFDVjhUh6Rgae50cJN1650/XKLCn7L23hB6+p/8MD8XhdXBtgDibzr
Vjr2uZdZ/J8=

nonetwork.se.   3600    IN      RRSIG   DNSKEY 7 2 3600 20090819135454 
20090812095059 22164 nonetwork.se. Qk8PaoqgoF7hTWafb0BgOm
VCHCb0eb2i++y99KSxBK4zvZw7VZvwIYKwx0biQRTVWF07q8C8HZmsgXsukjasQAiRp3fbBOMWJk1fyoNQ0hXeJCjE3eC3xQekBdrr8h+Gx/KtJp1UmeRfjAzN/dj/Ww
y1WFJieb81E4+20N8UlEcnCaqVN0YGdpQqw7Iqqn9y/F676LfMbdVNCS9RPCwzMYT7VnJDlhZqUsCOFGQyZnKPeCKt5XIqicIBlB2x6NzfqebskqPr8QzG0ww1KaUS7pCoCW21G9s
u71kOdEFzp2n9evGBYlDBlSNQVvg722YM5hz26QX5hm+Ol6BPK3nqJA==
---

When I in domanhanteraren choose to "Fetch keys from name servers" it states
---
Nycklar från namnservrar
      Status     Nyckeltag     Algoritm     Fingerprint (SHA-1)     
Nyckeltyp      
    Ej publicerbar     14538     RSASHA1-NSEC3-SHA1         KSK    

    * Zonnyckelflaggan är definierad.
    * Den säkra startflaggan (SEP) är definierad.
    * Protokollet är version 3.
    * Algoritmen är korrekt.
    * Nyckeln signerar inte zonen.
    * Algoritmen anses säker.
    * Känd algoritm.
    * Bit 0-6 och 8-14 är satt till 0.

    Ej publicerbar     22164     RSASHA1-NSEC3-SHA1         KSK    

    * Zonnyckelflaggan är definierad.
    * Den säkra startflaggan (SEP) är definierad.
    * Protokollet är version 3.
    * Algoritmen är korrekt.
    * Nyckeln signerar inte zonen.
    * Algoritmen anses säker.
    * Känd algoritm.
    * Bit 0-6 och 8-14 är satt till 0.
---

And dnscheck gives:
http://dnscheck.iis.se/?time=1250071868&id=233758&view=advanced&test=standard

I'm not sure how to interpret this but it seames to me the zone is still 
signed with nsec3 which is not supported?
It this right or is there something else that is wrong?
Please advise and how do I see this for sure, could some one educate me?

Thanks alot.

/Mattias



More information about the Opendnssec-user mailing list