2

I'm trying to enable DNSSEC on my authoritative dns Bind machine. So far I've done the following Tutorial :

  • Generate the KSK and ZSK Keys :

    dnssec-keygen -a RSASHA1 -b 1024 -n ZONE zonename

    dnssec-keygen -a RSASHA1 -b 4096 -n ZONE -f KSK zonename

  • Include the pub key in the zone and sign the zone :

    dnssec-signzone -o zonename -k KSKfile zonefile ZSKfile

  • Add the signed zone in place of the old one in named.conf

  • Restart Bind

I don't know if I've missed something but the registrar that support DNSSEC keep telling me :

Error Signature DNSKEY entries is not valid.
Error Signature SOA entry is not valid.

Does anyone know how to solve this ? Is there any online DNSSEC tool that display more infos about the dnssec status ?

Kami
  • 1,424
  • 13
  • 25
  • Your registrar is needed only to submit the DS record (or in very rare cases the DNSKEY record) upstream, to the registry. It should have no operational role in DNS/DNSSEC operations... except if it is as well the DNS provider which is not mandatory. You are not even specifying the TLD involved here, and there are various details that depend on it. The errors you quote are vague and obviously only the registrar would be able to help if the message comes from there, did you contact it? – Patrick Mevzek Nov 01 '21 at 22:03
  • I feel obligated to answer, as I wrote the tutorial that you are following. :) Without additional information (the zone name, for example), the error messages that your registrar provided are a bit too generic to provide any clue as to what the actual problem is. If you provide additional information, I'll see what it looks like from this side... If you've already solved the problem, I'd be quite interested in what caused the problem. – Knobee Oct 26 '10 at 12:20

2 Answers2

3

There are three DNSSEC online checkers that I know of:

What's unclear from your question is exactly what you're asking your registrar to do. If you're hosting the domain on your own machine (which appears to be the case) then all you should be sending your registrar is your DS record, so that they can send it to the appropriate registry.

BTW, did you include both public keys in your zone file before signing it? You only mention one key above in the second bullet point. Apart from that what you've done looks OK.

Alnitak
  • 21,191
  • 3
  • 52
  • 82
  • The last two tools were basically now replaced by only Zonemaster. DNSViz is also a tremendous tool to use for DNS/DNSSEC debugging. – Patrick Mevzek Nov 01 '21 at 22:03
1

I manage a list of on-line DNS checking tools, with a special emphasis on DNSSEC.

bortzmeyer
  • 3,941
  • 1
  • 21
  • 24