[Yeti DNS Discuss] Help with DNSSEC Key

Federico Olivieri lvrfrc87 at gmail.com
Fri Jan 22 17:03:57 UTC 2016


Guys,

Is it necessary to have IPv6 enabled or not? Because if is not mandatory I
have other 2 servers that are doing more traffic and I can redirect them
against Yeti root servers!

Please let me know!

2016-01-22 17:00 GMT+00:00 龚道彪 <dbgong at biigroup.cn>:

> Greate! :)
> ------------------ Original ------------------
> *From:* "Federico Olivieri"<lvrfrc87 at gmail.com>
> *Date:* Sat, Jan 23, 2016 00:57 AM
> *To:* "龚道彪"<dbgong at biigroup.cn>;
> *Cc:* "discuss"<discuss at lists.yeti-dns.org>;
> *Subject:* Re: [Yeti DNS Discuss] Help with DNSSEC Key
> It is fine :)
>
> *oot at raspberrypi:~# dig @::1 www.isc.org <http://www.isc.org> +dnssec -p
> 5300*
>
> *; <<>> DiG 9.9.5-9+deb8u5-Raspbian <<>> @::1 www.isc.org
> <http://www.isc.org> +dnssec -p 5300*
> *; (1 server found)*
> *;; global options: +cmd*
> *;; Got answer:*
> *;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4937*
> *;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1*
>
> *;; OPT PSEUDOSECTION:*
> *; EDNS: version: 0, flags: do; udp: 4096*
> *;; QUESTION SECTION:*
> *;www.isc.org <http://www.isc.org>.                   IN      A*
>
> *;; ANSWER SECTION:*
> *www.isc.org <http://www.isc.org>.            42      IN      RRSIG   A 5
> 3 60 20160219054322 20160120054322 6003 isc.org <http://isc.org>.
> 1+TamdDaIbldKxk0YYsUMo04IrIb0tlU3BpBIibWJ3L1/J2mpJGrHYC7
> lbIi1YsKcPgFpYqdtax5W+4XrqpYq6dIcg+lv6e5JdC6Sy+RYk1lIQOW
> WMMrgHurWBo8YNOiLrGG7KY3FakFcYFGPLG2dcMW0SjvLbtEoD7jBG7k mrU=*
> *www.isc.org <http://www.isc.org>.            42      IN      A
> 149.20.64.69*
>
> *;; Query time: 11 msec*
> *;; SERVER: ::1#5300(::1)*
> *;; WHEN: Fri Jan 22 16:55:03 UTC 2016*
> *;; MSG SIZE  rcvd: 223*
>
>
> But if I dig +trace it stuck to the end of the root server list. Anyway,
> seems working. Do you have any way to  confirm if you see traffic from my
> server? 2a02:c7d:ca0c:d6ca:ba27:ebff:fe28:6b3e
>
> Also, I got one question. With DNS yeti only IPv6 traffic will go through
> your servers or IPv4 as well?
>
> Thanks
>
> 2016-01-22 16:51 GMT+00:00 龚道彪 <dbgong at biigroup.cn>:
>
>> please try dig @::1 www.isc.org +dnssec
>>
>> check the rcode ,response include flag ad or not
>>
>> ---
>> kevin
>> ------------------ Original ------------------
>> *From:* "Federico Olivieri"<lvrfrc87 at gmail.com>
>> *Date:* Sat, Jan 23, 2016 00:36 AM
>> *To:* "龚道彪"<dbgong at biigroup.cn>;
>> *Cc:* "discuss"<discuss at lists.yeti-dns.org>;
>> *Subject:* Re: [Yeti DNS Discuss] Help with DNSSEC Key
>> Thank you very much! It works finally!!! Or at least it's talking with
>> yeti servers.
>>
>> However, seems pretty stuck
>>
>> root at raspberrypi:~# dig @::1 www.facebook.com -p 5300 +trace
>>
>> ; <<>> DiG 9.9.5-9+deb8u5-Raspbian <<>> @::1 www.facebook.com -p 5300
>> +trace
>> ; (1 server found)
>> ;; global options: +cmd
>> .                       86339   IN      NS      yeti-ns.switch.ch.
>> .                       86339   IN      NS      yeti.ipv6.ernet.in.
>> .                       86339   IN      NS      yeti-ns.lab.nic.cl.
>> .                       86339   IN      RRSIG   NS 8 0 518400
>> 20160221044002 20160122044002 50565 .
>> fWMoPNKu2Ygeebhx87VJ2IepYGKUuwVPV2CrZA9A2BmFP/38Bl8vKYZ2
>> 2MmiN34krDEX+l0NbLyBoE1CA0InaSLO1SDVG7qXRxet+ampeQBn6oVT
>> AfjjXjV87+aU072cP5y6GbFRfSxQww3/UwHK0x4bJ5NIHsyiQskby+0M n8w=
>> .                       86339   IN      NS      yeti-ns.tisf.net.
>> .                       86339   IN      NS      yeti-ns.ix.ru.
>> .                       86339   IN      NS
>> yeti-dns01.dnsworkshop.org.
>> .                       86339   IN      NS      yeti-ns.conit.co.
>> .                       86339   IN      NS      yeti-ns.as59715.net.
>> .                       86339   IN      NS      dahu2.yeti.eu.org.
>> .                       86339   IN      NS      dahu1.yeti.eu.org.
>> .                       86339   IN      NS      yeti.aquaray.com.
>> .                       86339   IN      NS      ns-yeti.bondis.org.
>> .                       86339   IN      NS      yeti.bofh.priv.at.
>> .                       86339   IN      NS      bii.dns-lab.net.
>> .                       86339   IN      NS      yeti-ns.wide.ad.jp.
>> ;; Received 619 bytes from ::1#5300(::1) in 130 ms
>>
>> root at raspberrypi:~# dig @::1 www.google.it -p 5300
>>
>> ; <<>> DiG 9.9.5-9+deb8u5-Raspbian <<>> @::1 www.google.it -p 5300
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30879
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;www.google.it.                 IN      A
>>
>> ;; Query time: 330 msec
>> ;; SERVER: ::1#5300(::1)
>> ;; WHEN: Fri Jan 22 16:35:57 UTC 2016
>> ;; MSG SIZE  rcvd: 31
>>
>>
>>
>>
>> 2016-01-22 16:26 GMT+00:00 龚道彪 <dbgong at biigroup.cn>:
>>
>>> Hi Federico,
>>>
>>> I have tested the follwing config, it works well.
>>>
>>> $ cat /etc/powerdns/recursor.conf
>>> ....
>>> dnssec=validate
>>> hint-file=/etc/powerdns/yeti-hints
>>> lua-config-file=/etc/powerdns/yeti.lua
>>> query-local-address6=::
>>> ....
>>>
>>> $ cat /etc/powerdns/yeti.lua
>>> addDS(".","55954 8 2
>>> 88FF12F948BFBE666AC91B1256BB5B77B51150991A5E50F80A9FAB73945BA2AA")
>>>
>>> $cat /etc/powerdns/yeti-hints
>>> .                       518400  IN      NS      yeti-ns.wide.ad.jp.
>>> .                       518400  IN      NS      yeti-ns.tisf.net.
>>> .                       518400  IN      NS      yeti-ns.ix.ru.
>>> .                       518400  IN      NS
>>> yeti-dns01.dnsworkshop.org.
>>> .                       518400  IN      NS      dahu2.yeti.eu.org.
>>> .                       518400  IN      NS      ns-yeti.bondis.org.
>>> .                       518400  IN      NS      yeti.aquaray.com.
>>> .                       518400  IN      NS      bii.dns-lab.net.
>>> .                       518400  IN      NS      yeti-ns.lab.nic.cl.
>>> .                       518400  IN      NS      yeti.ipv6.ernet.in.
>>> .                       518400  IN      NS      yeti-ns.conit.co.
>>> .                       518400  IN      NS      yeti.bofh.priv.at.
>>> .                       518400  IN      NS      dahu1.yeti.eu.org.
>>> .                       518400  IN      NS      yeti-ns.as59715.net.
>>> .                       518400  IN      NS      yeti-ns.switch.ch.
>>>
>>> bii.dns-lab.net.        518400  IN      AAAA    240c:f:1:22::6
>>> yeti.bofh.priv.at.      172800  IN      AAAA    2a01:4f8:161:6106:1::10
>>> yeti.ipv6.ernet.in.     172800  IN      AAAA    2001:e30:1c1e:1::333
>>> yeti.aquaray.com.       172800  IN      AAAA    2a02:ec0:200::1
>>> dahu1.yeti.eu.org.      172800  IN      AAAA
>>>  2001:4b98:dc2:45:216:3eff:fe4b:8c5b
>>> dahu2.yeti.eu.org.      172800  IN      AAAA    2001:67c:217c:6::2
>>> ns-yeti.bondis.org.     172800  IN      AAAA    2a02:2810:0:405::250
>>> yeti-ns.ix.ru.          172800  IN      AAAA    2001:6d0:6d06::53
>>> yeti-ns.lab.nic.cl.     172800  IN      AAAA    2001:1398:1:21::8001
>>> yeti-ns.tisf.net.       172800  IN      AAAA    2001:559:8000::6
>>> yeti-ns.wide.ad.jp.     172800  IN      AAAA    2001:200:1d9::35
>>> yeti-ns.conit.co.       172800  IN      AAAA
>>>  2604:6600:2000:11::4854:a010
>>> yeti-ns.switch.ch.      172800  IN      AAAA    2001:620:0:ff::29
>>> yeti-ns.as59715.net.    172800  IN      AAAA
>>>  2a02:cdc5:9715:0:185:5:203:53
>>> yeti-dns01.dnsworkshop.org. 172800 IN   AAAA    2001:1608:10:167:32e::53
>>>
>>>  ---
>>> Kevin
>>> ------------------ Original ------------------
>>> *From: * "龚道彪"<dbgong at biigroup.cn>;
>>> *Date: * Fri, Jan 22, 2016 11:33 PM
>>> *To: * "Federico Olivieri"<lvrfrc87 at gmail.com>; "discuss"<
>>> discuss at lists.yeti-dns.org>;
>>> *Subject: * Re: [Yeti DNS Discuss] Help with DNSSEC Key
>>>
>>> Hi Federico,
>>>
>>>  addDS() should need the DS record.
>>> the DS record for Yeti root zone is '. IN DS 55954 8 2
>>> 88FF12F948BFBE666AC91B1256BB5B77B51150991A5E50F80A9FAB73945BA2AA'
>>>
>>> Please you try
>>>  addDS(".","55954 8 2
>>> 88FF12F948BFBE666AC91B1256BB5B77B51150991A5E50F80A9FAB73945BA2AA")
>>>
>>> ------------------ Original ------------------
>>> *From: * "Federico Olivieri"<lvrfrc87 at gmail.com>;
>>> *Date: * Fri, Jan 22, 2016 08:26 PM
>>> *To: * "discuss"<discuss at lists.yeti-dns.org>;
>>> *Subject: * [Yeti DNS Discuss] Help with DNSSEC Key
>>>
>>> Hi everyone,
>>>
>>> I'm trying to enable my DNS server recursive on DNS Yeti.
>>>
>>> In order to do that, I need to use a LUA script
>>>
>>> clearDS()
>>>
>>>         addDS(".", "IN DNSKEY 257 3 8
>>> AwEAAaP3gGQ4db0tAiDEky0dcUNGeI1aTDYP5NFxzhbdpD60ZhKLVV4KyxPmoSNUpq5Fv5M0iBwK1Tyswsyq/9sMSoZ8zx8aT3ho1YnPsSqQeJfjTT1WsX6YZ5Kw6B2QkjRNa6OMGZ96Kn8AI/slqsw+z8hY49Sn3baeo9iJxHPzloNc2dQkW4aLqzNEYxnuoJsthCfGrPSAXlUjY9m3YKIaEWR5WFYQk770fT+gGWLk/54Vp0sG+Lw75JZnwhDhixPFaToTDNqbHQmkEylq1XJLO15uZ/+RZNRfTXZKO4fVR0tMEbMAITqRmyP8xLXY4RXbS4J32gnenQbzABX8sQmwO7s=")
>>>
>>>
>>>
>>> When I start the DNS service I get this error
>>>
>>>
>>>
>>> Jan 21 13:19:42 raspberrypi pdns_recursor[12794]: Jan 21 13:19:42 Unable
>>> to load Lua script from '/etc/powerdns/lua.conf': Parsing record content
>>> (try 'pdnsutil check-zone'): expected digits at position 0 in 'IN DNSKEY
>>> 257 3 8 AwEAAaP3gGQ4db0tAiDEky0dcUNGeI1aTDYP5NFxzhbd
>>>
>>>
>>>
>>> Unfortunately is the first time that I use LUA scripting I try to
>>> googole for it but I haven't found anything useful Maybe is the syntax
>>> of the file...
>>>
>>> Can you help me with that?
>>>
>>> Thanks
>>>
>>>
>>> Federico
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yeti-dns.org/pipermail/discuss/attachments/20160122/883c341a/attachment.html>


More information about the discuss mailing list