[Yeti DNS Discuss] Help with DNSSEC Key

Shane Kerr shane at biigroup.cn
Fri Jan 22 17:46:12 UTC 2016


Federico,

Thanks for setting up another resolver! It's great. It's our first
PowerDNS Recursor, which is why it wasn't documented anywhere on our
web site. :) 

If you'd like to share the steps you took to set it up we can include
it in our documentation (although I have been told that while PowerDNS
Recursor does support DNSSEC validation there may be issues).

It is necessary to have IPv6 enabled to use Yeti. Maybe this could
encourage you to get IPv6 on those servers too? ;)

Cheers,

--
Shane 

On 2016-01-22 17:03:57+0000 (Friday)
Federico Olivieri <lvrfrc87 at gmail.com> wrote:

> Guys,
> 
> Is it necessary to have IPv6 enabled or not? Because if is not mandatory I
> have other 2 servers that are doing more traffic and I can redirect them
> against Yeti root servers!
> 
> Please let me know!
> 
> 2016-01-22 17:00 GMT+00:00 龚道彪 <dbgong at biigroup.cn>:
> 
> > Greate! :)
> > ------------------ Original ------------------
> > *From:* "Federico Olivieri"<lvrfrc87 at gmail.com>
> > *Date:* Sat, Jan 23, 2016 00:57 AM
> > *To:* "龚道彪"<dbgong at biigroup.cn>;
> > *Cc:* "discuss"<discuss at lists.yeti-dns.org>;
> > *Subject:* Re: [Yeti DNS Discuss] Help with DNSSEC Key
> > It is fine :)
> >
> > *oot at raspberrypi:~# dig @::1 www.isc.org <http://www.isc.org> +dnssec -p
> > 5300*
> >
> > *; <<>> DiG 9.9.5-9+deb8u5-Raspbian <<>> @::1 www.isc.org
> > <http://www.isc.org> +dnssec -p 5300*
> > *; (1 server found)*
> > *;; global options: +cmd*
> > *;; Got answer:*
> > *;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4937*
> > *;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1*
> >
> > *;; OPT PSEUDOSECTION:*
> > *; EDNS: version: 0, flags: do; udp: 4096*
> > *;; QUESTION SECTION:*
> > *;www.isc.org <http://www.isc.org>.                   IN      A*
> >
> > *;; ANSWER SECTION:*
> > *www.isc.org <http://www.isc.org>.            42      IN      RRSIG   A 5
> > 3 60 20160219054322 20160120054322 6003 isc.org <http://isc.org>.
> > 1+TamdDaIbldKxk0YYsUMo04IrIb0tlU3BpBIibWJ3L1/J2mpJGrHYC7
> > lbIi1YsKcPgFpYqdtax5W+4XrqpYq6dIcg+lv6e5JdC6Sy+RYk1lIQOW
> > WMMrgHurWBo8YNOiLrGG7KY3FakFcYFGPLG2dcMW0SjvLbtEoD7jBG7k mrU=*
> > *www.isc.org <http://www.isc.org>.            42      IN      A
> > 149.20.64.69*
> >
> > *;; Query time: 11 msec*
> > *;; SERVER: ::1#5300(::1)*
> > *;; WHEN: Fri Jan 22 16:55:03 UTC 2016*
> > *;; MSG SIZE  rcvd: 223*
> >
> >
> > But if I dig +trace it stuck to the end of the root server list. Anyway,
> > seems working. Do you have any way to  confirm if you see traffic from my
> > server? 2a02:c7d:ca0c:d6ca:ba27:ebff:fe28:6b3e
> >
> > Also, I got one question. With DNS yeti only IPv6 traffic will go through
> > your servers or IPv4 as well?
> >
> > Thanks
> >
> > 2016-01-22 16:51 GMT+00:00 龚道彪 <dbgong at biigroup.cn>:
> >
> >> please try dig @::1 www.isc.org +dnssec
> >>
> >> check the rcode ,response include flag ad or not
> >>
> >> ---
> >> kevin
> >> ------------------ Original ------------------
> >> *From:* "Federico Olivieri"<lvrfrc87 at gmail.com>
> >> *Date:* Sat, Jan 23, 2016 00:36 AM
> >> *To:* "龚道彪"<dbgong at biigroup.cn>;
> >> *Cc:* "discuss"<discuss at lists.yeti-dns.org>;
> >> *Subject:* Re: [Yeti DNS Discuss] Help with DNSSEC Key
> >> Thank you very much! It works finally!!! Or at least it's talking with
> >> yeti servers.
> >>
> >> However, seems pretty stuck
> >>
> >> root at raspberrypi:~# dig @::1 www.facebook.com -p 5300 +trace
> >>
> >> ; <<>> DiG 9.9.5-9+deb8u5-Raspbian <<>> @::1 www.facebook.com -p 5300
> >> +trace
> >> ; (1 server found)
> >> ;; global options: +cmd
> >> .                       86339   IN      NS      yeti-ns.switch.ch.
> >> .                       86339   IN      NS      yeti.ipv6.ernet.in.
> >> .                       86339   IN      NS      yeti-ns.lab.nic.cl.
> >> .                       86339   IN      RRSIG   NS 8 0 518400
> >> 20160221044002 20160122044002 50565 .
> >> fWMoPNKu2Ygeebhx87VJ2IepYGKUuwVPV2CrZA9A2BmFP/38Bl8vKYZ2
> >> 2MmiN34krDEX+l0NbLyBoE1CA0InaSLO1SDVG7qXRxet+ampeQBn6oVT
> >> AfjjXjV87+aU072cP5y6GbFRfSxQww3/UwHK0x4bJ5NIHsyiQskby+0M n8w=
> >> .                       86339   IN      NS      yeti-ns.tisf.net.
> >> .                       86339   IN      NS      yeti-ns.ix.ru.
> >> .                       86339   IN      NS
> >> yeti-dns01.dnsworkshop.org.
> >> .                       86339   IN      NS      yeti-ns.conit.co.
> >> .                       86339   IN      NS      yeti-ns.as59715.net.
> >> .                       86339   IN      NS      dahu2.yeti.eu.org.
> >> .                       86339   IN      NS      dahu1.yeti.eu.org.
> >> .                       86339   IN      NS      yeti.aquaray.com.
> >> .                       86339   IN      NS      ns-yeti.bondis.org.
> >> .                       86339   IN      NS      yeti.bofh.priv.at.
> >> .                       86339   IN      NS      bii.dns-lab.net.
> >> .                       86339   IN      NS      yeti-ns.wide.ad.jp.
> >> ;; Received 619 bytes from ::1#5300(::1) in 130 ms
> >>
> >> root at raspberrypi:~# dig @::1 www.google.it -p 5300
> >>
> >> ; <<>> DiG 9.9.5-9+deb8u5-Raspbian <<>> @::1 www.google.it -p 5300
> >> ; (1 server found)
> >> ;; global options: +cmd
> >> ;; Got answer:
> >> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30879
> >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> >>
> >> ;; QUESTION SECTION:
> >> ;www.google.it.                 IN      A
> >>
> >> ;; Query time: 330 msec
> >> ;; SERVER: ::1#5300(::1)
> >> ;; WHEN: Fri Jan 22 16:35:57 UTC 2016
> >> ;; MSG SIZE  rcvd: 31
> >>
> >>
> >>
> >>
> >> 2016-01-22 16:26 GMT+00:00 龚道彪 <dbgong at biigroup.cn>:
> >>
> >>> Hi Federico,
> >>>
> >>> I have tested the follwing config, it works well.
> >>>
> >>> $ cat /etc/powerdns/recursor.conf
> >>> ....
> >>> dnssec=validate
> >>> hint-file=/etc/powerdns/yeti-hints
> >>> lua-config-file=/etc/powerdns/yeti.lua
> >>> query-local-address6=::
> >>> ....
> >>>
> >>> $ cat /etc/powerdns/yeti.lua
> >>> addDS(".","55954 8 2
> >>> 88FF12F948BFBE666AC91B1256BB5B77B51150991A5E50F80A9FAB73945BA2AA")
> >>>
> >>> $cat /etc/powerdns/yeti-hints
> >>> .                       518400  IN      NS      yeti-ns.wide.ad.jp.
> >>> .                       518400  IN      NS      yeti-ns.tisf.net.
> >>> .                       518400  IN      NS      yeti-ns.ix.ru.
> >>> .                       518400  IN      NS
> >>> yeti-dns01.dnsworkshop.org.
> >>> .                       518400  IN      NS      dahu2.yeti.eu.org.
> >>> .                       518400  IN      NS      ns-yeti.bondis.org.
> >>> .                       518400  IN      NS      yeti.aquaray.com.
> >>> .                       518400  IN      NS      bii.dns-lab.net.
> >>> .                       518400  IN      NS      yeti-ns.lab.nic.cl.
> >>> .                       518400  IN      NS      yeti.ipv6.ernet.in.
> >>> .                       518400  IN      NS      yeti-ns.conit.co.
> >>> .                       518400  IN      NS      yeti.bofh.priv.at.
> >>> .                       518400  IN      NS      dahu1.yeti.eu.org.
> >>> .                       518400  IN      NS      yeti-ns.as59715.net.
> >>> .                       518400  IN      NS      yeti-ns.switch.ch.
> >>>
> >>> bii.dns-lab.net.        518400  IN      AAAA    240c:f:1:22::6
> >>> yeti.bofh.priv.at.      172800  IN      AAAA    2a01:4f8:161:6106:1::10
> >>> yeti.ipv6.ernet.in.     172800  IN      AAAA    2001:e30:1c1e:1::333
> >>> yeti.aquaray.com.       172800  IN      AAAA    2a02:ec0:200::1
> >>> dahu1.yeti.eu.org.      172800  IN      AAAA
> >>>  2001:4b98:dc2:45:216:3eff:fe4b:8c5b
> >>> dahu2.yeti.eu.org.      172800  IN      AAAA    2001:67c:217c:6::2
> >>> ns-yeti.bondis.org.     172800  IN      AAAA    2a02:2810:0:405::250
> >>> yeti-ns.ix.ru.          172800  IN      AAAA    2001:6d0:6d06::53
> >>> yeti-ns.lab.nic.cl.     172800  IN      AAAA    2001:1398:1:21::8001
> >>> yeti-ns.tisf.net.       172800  IN      AAAA    2001:559:8000::6
> >>> yeti-ns.wide.ad.jp.     172800  IN      AAAA    2001:200:1d9::35
> >>> yeti-ns.conit.co.       172800  IN      AAAA
> >>>  2604:6600:2000:11::4854:a010
> >>> yeti-ns.switch.ch.      172800  IN      AAAA    2001:620:0:ff::29
> >>> yeti-ns.as59715.net.    172800  IN      AAAA
> >>>  2a02:cdc5:9715:0:185:5:203:53
> >>> yeti-dns01.dnsworkshop.org. 172800 IN   AAAA    2001:1608:10:167:32e::53
> >>>
> >>>  ---
> >>> Kevin
> >>> ------------------ Original ------------------
> >>> *From: * "龚道彪"<dbgong at biigroup.cn>;
> >>> *Date: * Fri, Jan 22, 2016 11:33 PM
> >>> *To: * "Federico Olivieri"<lvrfrc87 at gmail.com>; "discuss"<
> >>> discuss at lists.yeti-dns.org>;
> >>> *Subject: * Re: [Yeti DNS Discuss] Help with DNSSEC Key
> >>>
> >>> Hi Federico,
> >>>
> >>>  addDS() should need the DS record.
> >>> the DS record for Yeti root zone is '. IN DS 55954 8 2
> >>> 88FF12F948BFBE666AC91B1256BB5B77B51150991A5E50F80A9FAB73945BA2AA'
> >>>
> >>> Please you try
> >>>  addDS(".","55954 8 2
> >>> 88FF12F948BFBE666AC91B1256BB5B77B51150991A5E50F80A9FAB73945BA2AA")
> >>>
> >>> ------------------ Original ------------------
> >>> *From: * "Federico Olivieri"<lvrfrc87 at gmail.com>;
> >>> *Date: * Fri, Jan 22, 2016 08:26 PM
> >>> *To: * "discuss"<discuss at lists.yeti-dns.org>;
> >>> *Subject: * [Yeti DNS Discuss] Help with DNSSEC Key
> >>>
> >>> Hi everyone,
> >>>
> >>> I'm trying to enable my DNS server recursive on DNS Yeti.
> >>>
> >>> In order to do that, I need to use a LUA script
> >>>
> >>> clearDS()
> >>>
> >>>         addDS(".", "IN DNSKEY 257 3 8
> >>> AwEAAaP3gGQ4db0tAiDEky0dcUNGeI1aTDYP5NFxzhbdpD60ZhKLVV4KyxPmoSNUpq5Fv5M0iBwK1Tyswsyq/9sMSoZ8zx8aT3ho1YnPsSqQeJfjTT1WsX6YZ5Kw6B2QkjRNa6OMGZ96Kn8AI/slqsw+z8hY49Sn3baeo9iJxHPzloNc2dQkW4aLqzNEYxnuoJsthCfGrPSAXlUjY9m3YKIaEWR5WFYQk770fT+gGWLk/54Vp0sG+Lw75JZnwhDhixPFaToTDNqbHQmkEylq1XJLO15uZ/+RZNRfTXZKO4fVR0tMEbMAITqRmyP8xLXY4RXbS4J32gnenQbzABX8sQmwO7s=")
> >>>
> >>>
> >>>
> >>> When I start the DNS service I get this error
> >>>
> >>>
> >>>
> >>> Jan 21 13:19:42 raspberrypi pdns_recursor[12794]: Jan 21 13:19:42 Unable
> >>> to load Lua script from '/etc/powerdns/lua.conf': Parsing record content
> >>> (try 'pdnsutil check-zone'): expected digits at position 0 in 'IN DNSKEY
> >>> 257 3 8 AwEAAaP3gGQ4db0tAiDEky0dcUNGeI1aTDYP5NFxzhbd
> >>>
> >>>
> >>>
> >>> Unfortunately is the first time that I use LUA scripting I try to
> >>> googole for it but I haven't found anything useful Maybe is the syntax
> >>> of the file...
> >>>
> >>> Can you help me with that?
> >>>
> >>> Thanks
> >>>
> >>>
> >>> Federico
> >>>
> >>
> >>
> >





More information about the discuss mailing list