[dns-operations] Help with DNSSEC config

Mark Andrews marka at isc.org
Fri Aug 3 07:01:54 UTC 2012 

In message <CAEU_gmeKNvZswsmGoBxrA3pGS2mboeh83Y_px8BZ+LTO9iBTPg at mail.gmail.com>
, Mohamed Lrhazi writes:
> I am trying to verify my DNSSEC setup... Can anyone help me out by
> explaining why would this first dig work, while the next would not:

	The DNSKEY/DS disagree on the DNSSEC algorithm in use.

			5 != 7

	Mark

gu.edu.			85998	IN	DNSKEY	256 3 7 AwEAAb2bbFYfwZA2y1q31Dyxcc6kYeMPv1lqzWUc0V2mSmwR6N6GgOHB gU7MNvrN08aENdaIOkof+/9PQ3o3Sy6MFAHEmb7pmywmVcV+qDuB6qeM +Vud6LSlgI29xx2J0z/eoooXdYAITutkP6bQ11/1cf4VhJ6G1w1yuWko jq6yQtHUcIsr4gv5haZ4rOWETABHZy1lw6w8AGqbINjRMdROR+ib1ONX +Sm16Lif1tO75pjOJHGdzNxbumw8uH9htVE/TBumVrFsIGf24Z9XaYUM wbT4J3PpygLv0Kk7hYdmQorhU9ZRGmylgeK6vS6OljjteYS3c+WxHG2f 8/YJqCQS3iE=  ; ZSK; alg = NSEC3RSASHA1; key id = 30389
gu.edu.			85998	IN	DNSKEY	257 3 7 AwEAAc1nFtws6A1isG3GClWQXrCQl52Eyl5VqAoSilEFejr12iyG2e35 ro/QHyLFbE1jfXDuCUc9iqOcA5AgFiTY5V30RSv020DEQvRkhhESmbGp GGenlsLwXvbI022FtiTl2uIHg9/KDUElmBJQXGeBCMzHTS/jQXxCrP5Z +pXbEbCSadORB3Zxzz417Agea3PXYm3WykSxHWZYwQJFn6WyOlvqJdyX fgOPkgRLQ26iSquqzxyVTGTJ8L2gYf7/OyOE+CxzL3iDJSLHLg5PD2/0 ZgW0UfXvWu1uacY5EhxUBYKW2k8IFeYYNabeOD8pmF3eqb/AgGdWv9KL VaeTyhE/6YM=  ; KSK; alg = NSEC3RSASHA1; key id = 3078

gu.edu.			85807	IN	DS	3078 5 1 B4C9FB14D6519C3ECE5CC43E80C463D5847D73ED

> jazz:~ [5764]# dig +dnssec @ns1.gu.edu gu.edu
> 
> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> +dnssec @ns1.gu.edu
> gu.edu
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44596
> ;; flags: qr aa rd ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
> 
> ...
> 
> jazz:~ [5765]# dig +dnssec @bind.odvr.dns-oarc.net gu.edu
> 
> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> +dnssec @
> bind.odvr.dns-oarc.net gu.edu
> ; (2 servers found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18338
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ...
> jazz:~ [5766]#
> 
> Thanks a lot,
> Mohamed.
> 
> --14dae9340e1bf29c8704c656b3b9
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> 
> <div>I am trying to verify my DNSSEC setup... Can anyone help me out by exp=
> laining why would this first dig work, while the next=A0would=A0not:</div><=
> div><br></div><div><br></div><div><div>jazz:~ [5764]# dig +dnssec @<a href=
> =3D"http://ns1.gu.edu">ns1.gu.edu</a> <a href=3D"http://gu.edu">gu.edu</a><=
> /div>
> 
> <div><br></div><div>; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4=
> .2 <<>> +dnssec @<a href=3D"http://ns1.gu.edu">ns1.gu.edu</a> <=
> a href=3D"http://gu.edu">gu.edu</a></div><div>; (1 server found)</div><div>
> 
> ;; global options: =A0printcmd</div><div>;; Got answer:</div><div>;; ->&=
> gt;HEADER<<- opcode: QUERY, status: NOERROR, id: 44596</div><div>;; f=
> lags: qr aa rd ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1</div>
> 
> <div><br></div></div><div>...</div><div><br></div><div>jazz:~ [5765]# dig +=
> dnssec @<a href=3D"http://bind.odvr.dns-oarc.net">bind.odvr.dns-oarc.net</a=
> > <a href=3D"http://gu.edu">gu.edu</a></div><div><br></div><div>; <<&=
> gt;> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> +dnssec @<a=
>  href=3D"http://bind.odvr.dns-oarc.net">bind.odvr.dns-oarc.net</a> <a href=
> =3D"http://gu.edu">gu.edu</a></div>
> 
> <div>; (2 servers found)</div><div>;; global options: =A0printcmd</div><div=
> >;; Got answer:</div><div>;; ->>HEADER<<- opcode: QUERY, status=
> : SERVFAIL, id: 18338</div><div>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AU=
> THORITY: 0, ADDITIONAL: 1</div>
> 
> <div><br></div><div>...</div><div>jazz:~ [5766]#</div><div><br></div><div>T=
> hanks a lot,</div><div>Mohamed.</div>
> 
> --14dae9340e1bf29c8704c656b3b9--
> 
> --===============5761709208935610447==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> --===============5761709208935610447==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list