[Yeti DNS Discuss] Help with DNSSEC Key

Federico Olivieri lvrfrc87 at gmail.com
Fri Jan 22 16:36:14 UTC 2016


Thank you very much! It works finally!!! Or at least it's talking with yeti
servers.

However, seems pretty stuck

root at raspberrypi:~# dig @::1 www.facebook.com -p 5300 +trace

; <<>> DiG 9.9.5-9+deb8u5-Raspbian <<>> @::1 www.facebook.com -p 5300 +trace
; (1 server found)
;; global options: +cmd
.                       86339   IN      NS      yeti-ns.switch.ch.
.                       86339   IN      NS      yeti.ipv6.ernet.in.
.                       86339   IN      NS      yeti-ns.lab.nic.cl.
.                       86339   IN      RRSIG   NS 8 0 518400
20160221044002 20160122044002 50565 .
fWMoPNKu2Ygeebhx87VJ2IepYGKUuwVPV2CrZA9A2BmFP/38Bl8vKYZ2
2MmiN34krDEX+l0NbLyBoE1CA0InaSLO1SDVG7qXRxet+ampeQBn6oVT
AfjjXjV87+aU072cP5y6GbFRfSxQww3/UwHK0x4bJ5NIHsyiQskby+0M n8w=
.                       86339   IN      NS      yeti-ns.tisf.net.
.                       86339   IN      NS      yeti-ns.ix.ru.
.                       86339   IN      NS      yeti-dns01.dnsworkshop.org.
.                       86339   IN      NS      yeti-ns.conit.co.
.                       86339   IN      NS      yeti-ns.as59715.net.
.                       86339   IN      NS      dahu2.yeti.eu.org.
.                       86339   IN      NS      dahu1.yeti.eu.org.
.                       86339   IN      NS      yeti.aquaray.com.
.                       86339   IN      NS      ns-yeti.bondis.org.
.                       86339   IN      NS      yeti.bofh.priv.at.
.                       86339   IN      NS      bii.dns-lab.net.
.                       86339   IN      NS      yeti-ns.wide.ad.jp.
;; Received 619 bytes from ::1#5300(::1) in 130 ms

root at raspberrypi:~# dig @::1 www.google.it -p 5300

; <<>> DiG 9.9.5-9+deb8u5-Raspbian <<>> @::1 www.google.it -p 5300
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30879
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.it.                 IN      A

;; Query time: 330 msec
;; SERVER: ::1#5300(::1)
;; WHEN: Fri Jan 22 16:35:57 UTC 2016
;; MSG SIZE  rcvd: 31




2016-01-22 16:26 GMT+00:00 龚道彪 <dbgong at biigroup.cn>:

> Hi Federico,
>
> I have tested the follwing config, it works well.
>
> $ cat /etc/powerdns/recursor.conf
> ....
> dnssec=validate
> hint-file=/etc/powerdns/yeti-hints
> lua-config-file=/etc/powerdns/yeti.lua
> query-local-address6=::
> ....
>
> $ cat /etc/powerdns/yeti.lua
> addDS(".","55954 8 2
> 88FF12F948BFBE666AC91B1256BB5B77B51150991A5E50F80A9FAB73945BA2AA")
>
> $cat /etc/powerdns/yeti-hints
> .                       518400  IN      NS      yeti-ns.wide.ad.jp.
> .                       518400  IN      NS      yeti-ns.tisf.net.
> .                       518400  IN      NS      yeti-ns.ix.ru.
> .                       518400  IN      NS      yeti-dns01.dnsworkshop.org
> .
> .                       518400  IN      NS      dahu2.yeti.eu.org.
> .                       518400  IN      NS      ns-yeti.bondis.org.
> .                       518400  IN      NS      yeti.aquaray.com.
> .                       518400  IN      NS      bii.dns-lab.net.
> .                       518400  IN      NS      yeti-ns.lab.nic.cl.
> .                       518400  IN      NS      yeti.ipv6.ernet.in.
> .                       518400  IN      NS      yeti-ns.conit.co.
> .                       518400  IN      NS      yeti.bofh.priv.at.
> .                       518400  IN      NS      dahu1.yeti.eu.org.
> .                       518400  IN      NS      yeti-ns.as59715.net.
> .                       518400  IN      NS      yeti-ns.switch.ch.
>
> bii.dns-lab.net.        518400  IN      AAAA    240c:f:1:22::6
> yeti.bofh.priv.at.      172800  IN      AAAA    2a01:4f8:161:6106:1::10
> yeti.ipv6.ernet.in.     172800  IN      AAAA    2001:e30:1c1e:1::333
> yeti.aquaray.com.       172800  IN      AAAA    2a02:ec0:200::1
> dahu1.yeti.eu.org.      172800  IN      AAAA
>  2001:4b98:dc2:45:216:3eff:fe4b:8c5b
> dahu2.yeti.eu.org.      172800  IN      AAAA    2001:67c:217c:6::2
> ns-yeti.bondis.org.     172800  IN      AAAA    2a02:2810:0:405::250
> yeti-ns.ix.ru.          172800  IN      AAAA    2001:6d0:6d06::53
> yeti-ns.lab.nic.cl.     172800  IN      AAAA    2001:1398:1:21::8001
> yeti-ns.tisf.net.       172800  IN      AAAA    2001:559:8000::6
> yeti-ns.wide.ad.jp.     172800  IN      AAAA    2001:200:1d9::35
> yeti-ns.conit.co.       172800  IN      AAAA
>  2604:6600:2000:11::4854:a010
> yeti-ns.switch.ch.      172800  IN      AAAA    2001:620:0:ff::29
> yeti-ns.as59715.net.    172800  IN      AAAA
>  2a02:cdc5:9715:0:185:5:203:53
> yeti-dns01.dnsworkshop.org. 172800 IN   AAAA    2001:1608:10:167:32e::53
>
>  ---
> Kevin
> ------------------ Original ------------------
> *From: * "龚道彪"<dbgong at biigroup.cn>;
> *Date: * Fri, Jan 22, 2016 11:33 PM
> *To: * "Federico Olivieri"<lvrfrc87 at gmail.com>; "discuss"<
> discuss at lists.yeti-dns.org>;
> *Subject: * Re: [Yeti DNS Discuss] Help with DNSSEC Key
>
> Hi Federico,
>
>  addDS() should need the DS record.
> the DS record for Yeti root zone is '. IN DS 55954 8 2
> 88FF12F948BFBE666AC91B1256BB5B77B51150991A5E50F80A9FAB73945BA2AA'
>
> Please you try
>  addDS(".","55954 8 2
> 88FF12F948BFBE666AC91B1256BB5B77B51150991A5E50F80A9FAB73945BA2AA")
>
> ------------------ Original ------------------
> *From: * "Federico Olivieri"<lvrfrc87 at gmail.com>;
> *Date: * Fri, Jan 22, 2016 08:26 PM
> *To: * "discuss"<discuss at lists.yeti-dns.org>;
> *Subject: * [Yeti DNS Discuss] Help with DNSSEC Key
>
> Hi everyone,
>
> I'm trying to enable my DNS server recursive on DNS Yeti.
>
> In order to do that, I need to use a LUA script
>
> clearDS()
>
>         addDS(".", "IN DNSKEY 257 3 8
> AwEAAaP3gGQ4db0tAiDEky0dcUNGeI1aTDYP5NFxzhbdpD60ZhKLVV4KyxPmoSNUpq5Fv5M0iBwK1Tyswsyq/9sMSoZ8zx8aT3ho1YnPsSqQeJfjTT1WsX6YZ5Kw6B2QkjRNa6OMGZ96Kn8AI/slqsw+z8hY49Sn3baeo9iJxHPzloNc2dQkW4aLqzNEYxnuoJsthCfGrPSAXlUjY9m3YKIaEWR5WFYQk770fT+gGWLk/54Vp0sG+Lw75JZnwhDhixPFaToTDNqbHQmkEylq1XJLO15uZ/+RZNRfTXZKO4fVR0tMEbMAITqRmyP8xLXY4RXbS4J32gnenQbzABX8sQmwO7s=")
>
>
>
> When I start the DNS service I get this error
>
>
>
> Jan 21 13:19:42 raspberrypi pdns_recursor[12794]: Jan 21 13:19:42 Unable
> to load Lua script from '/etc/powerdns/lua.conf': Parsing record content
> (try 'pdnsutil check-zone'): expected digits at position 0 in 'IN DNSKEY
> 257 3 8 AwEAAaP3gGQ4db0tAiDEky0dcUNGeI1aTDYP5NFxzhbd
>
>
>
> Unfortunately is the first time that I use LUA scripting I try to googole
> for it but I haven't found anything useful Maybe is the syntax of the
> file...
>
> Can you help me with that?
>
> Thanks
>
>
> Federico
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yeti-dns.org/pipermail/discuss/attachments/20160122/5aced587/attachment.html>


More information about the discuss mailing list