[Yeti DNS Discuss] Problem in the rollover?
Stephane Bortzmeyer
bortzmeyer at nic.fr
Fri Jul 10 20:17:40 UTC 2015
One of my resolvers now SERVFAILs.
% dig DNSKEY .
; <<>> DiG 9.10.2-P1 <<>> DNSKEY .
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42800
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;. IN DNSKEY
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Fri Jul 10 20:14:52 UTC 2015
;; MSG SIZE rcvd: 28
It works if I query with +cd, so there is a DNSSEC issue:
% dig +cd DNSKEY .
; <<>> DiG 9.10.2-P1 <<>> +cd DNSKEY .
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60019
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;. IN DNSKEY
;; ANSWER SECTION:
. 86345 IN DNSKEY 256 3 8 (
AwEAAa7cUrnJqj2TgFoDK2oeP/tvqNegCVUsg8gq4AnU
8LOzNDaV6KzbOlQAjXwHzKWI+KWVD01h5q08dVnCcDEb
oamoNjBQN3hObq0x/8/OCrPfbl4JkoKU5etD3i11UXOa
KqFxKmxFfIh32N9EZxKZcxUQeDE1tHBpreUuaOiTVgN9
) ; ZSK; alg = RSASHA256; key id = 35271
. 86345 IN DNSKEY 257 3 8 (
AwEAAaP3gGQ4db0tAiDEky0dcUNGeI1aTDYP5NFxzhbd
pD60ZhKLVV4KyxPmoSNUpq5Fv5M0iBwK1Tyswsyq/9sM
SoZ8zx8aT3ho1YnPsSqQeJfjTT1WsX6YZ5Kw6B2QkjRN
a6OMGZ96Kn8AI/slqsw+z8hY49Sn3baeo9iJxHPzloNc
2dQkW4aLqzNEYxnuoJsthCfGrPSAXlUjY9m3YKIaEWR5
WFYQk770fT+gGWLk/54Vp0sG+Lw75JZnwhDhixPFaToT
DNqbHQmkEylq1XJLO15uZ/+RZNRfTXZKO4fVR0tMEbMA
ITqRmyP8xLXY4RXbS4J32gnenQbzABX8sQmwO7s=
) ; KSK; alg = RSASHA256; key id = 55954
. 86345 IN DNSKEY 257 3 8 (
AwEAAchb6LrHCdz9Yo55u1id/b+X1FqVDF66xNrhbgnV
+vtpiq7pDsT8KgzSijNuGs4GLGsMhVE/9H0wOtmVRUQq
Q50PHZsiqg8gqB6i5zLortjpaCLZS7Oke1xP+6LzVRgT
4c8NXlRBg3m/gDjzijBD0BMACjVGZNv0gReAg2OCr9dB
rweE6DnM6twG7D2NyuGjpWzKeJfNd3Hek39V9NGHuABG
kmYG16XCao37IWcP/s/57HuBom5U3SNfuzfVDppokatu
L6dXp9ktuuVXsESc/rUERU/GPleuNfRuPHFr3URmrRud
4DYbRWNVIsxqkSLrCldDjP1Hicf3S8NgVHJTSRE=
) ; KSK; alg = RSASHA256; key id = 24439
. 86345 IN RRSIG DNSKEY 8 0 86400 (
20150809184004 20150710184004 55954 .
c2Mci0CfbEBo7zyJ30IGP7F9eH+i8is5Klop5/VWLK/d
g78J0WcvSTO+SlbHOU0/RasylQbzTsQzp1KecyPIFPdc
JO0psZnievrHcO/IUkmU4PYwuVGrGRQgdI0N0FdfLgNB
HlCH44QGFD7Lutbs9ijWKj6W6a8ou27+ErL5LN9TjCDi
qjwSbfmNUT+wuL0Wo0pGlu36TeHbM4C2nDrBslPB9Czt
bUgIRWM5zdIgGWn5vaQRHsCmqKFxo6nN1kpNn8wsC+iI
L9Us/ZkKereGXUfoZ3pN8qriiIMM/JGx0D5uyIHsP9R8
51wEiRak6G4avTu4DkUDNOb5R38c5rlFlA== )
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Fri Jul 10 20:14:55 UTC 2015
;; MSG SIZE rcvd: 1011
My current set of keys is:
% cat /etc/unbound/autokey/yeti-key.key
; autotrust trust anchor file
;;id: . 1
;;last_queried: 1436559301 ;;Fri Jul 10 20:15:01 2015
;;last_success: 1436453195 ;;Thu Jul 9 14:46:35 2015
;;next_probe_time: 1436566918 ;;Fri Jul 10 22:21:58 2015
;;query_failed: 173
;;query_interval: 43200
;;retry_time: 8640
. 86400 IN DNSKEY 257 3 8 AwEAAaP3gGQ4db0tAiDEky0dcUNGeI1aTDYP5NFxzhbdpD60ZhKLVV4KyxPmoSNUpq5Fv5M0iBwK1Tyswsyq/9sMSoZ8zx8aT3ho1YnPsSqQeJfjTT1WsX6YZ5Kw6B2QkjRNa6OMGZ96Kn8AI/slqsw+z8hY49Sn3baeo9iJxHPzloNc2dQkW4aLqzNEYxnuoJsthCfGrPSAXlUjY9m3YKIaEWR5WFYQk770fT+gGWLk/54Vp0sG+Lw75JZnwhDhixPFaToTDNqbHQmkEylq1XJLO15uZ/+RZNRfTXZKO4fVR0tMEbMAITqRmyP8xLXY4RXbS4J32gnenQbzABX8sQmwO7s= ;{id = 55954 (ksk), size = 2048b} ;;state=1 [ ADDPEND ] ;;count=5 ;;lastchange=1436291512 ;;Tue Jul 7 17:51:52 2015
. 85667 IN DNSKEY 257 3 8 AwEAAchb6LrHCdz9Yo55u1id/b+X1FqVDF66xNrhbgnV+vtpiq7pDsT8KgzSijNuGs4GLGsMhVE/9H0wOtmVRUQqQ50PHZsiqg8gqB6i5zLortjpaCLZS7Oke1xP+6LzVRgT4c8NXlRBg3m/gDjzijBD0BMACjVGZNv0gReAg2OCr9dBrweE6DnM6twG7D2NyuGjpWzKeJfNd3Hek39V9NGHuABGkmYG16XCao37IWcP/s/57HuBom5U3SNfuzfVDppokatuL6dXp9ktuuVXsESc/rUERU/GPleuNfRuPHFr3URmrRud4DYbRWNVIsxqkSLrCldDjP1Hicf3S8NgVHJTSRE= ;{id = 24439 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1435757697 ;;Wed Jul 1 13:34:57 2015
The DNSKEY of the root is now signed only by 55954, which is still un
state ADDPEND. Is it normal?
More information about the discuss
mailing list