Displaying 20 results from an estimated 22 matches for "rrsig".
2015 Feb 04
2
DC01 log entries
...ld be secure
Feb 4 06:58:16 dc01 named[2096]: error (insecurity proof failed)
resolving './NS/IN': 208.67.220.220#53
Feb 4 07:04:51 dc01 named[2096]: validating @0xb982c740: com SOA: got
insecure response; parent indicates it should be secure
Feb 4 07:04:51 dc01 named[2096]: error (no valid RRSIG) resolving
'microsoft.com/DS/IN': 208.67.222.222#53
Feb 4 07:04:51 dc01 named[2096]: validating @0xb982c740: com SOA: got
insecure response; parent indicates it should be secure
Feb 4 07:04:51 dc01 named[2096]: error (no valid RRSIG) resolving
'microsoft.com/DS/IN': 208.67.220.220#5...
2015 Feb 06
0
DC01 log entries
...4 06:58:16 dc01 named[2096]: error (insecurity proof failed)
>resolving './NS/IN': 208.67.220.220#53
>Feb 4 07:04:51 dc01 named[2096]: validating @0xb982c740: com SOA: got
>insecure response; parent indicates it should be secure
>Feb 4 07:04:51 dc01 named[2096]: error (no valid RRSIG) resolving
>'microsoft.com/DS/IN': 208.67.222.222#53
>Feb 4 07:04:51 dc01 named[2096]: validating @0xb982c740: com SOA: got
>insecure response; parent indicates it should be secure
>Feb 4 07:04:51 dc01 named[2096]: error (no valid RRSIG) resolving
>'microsoft.com/DS/IN...
2015 Feb 06
1
DC01 log entries
...ld be secure Feb 4 06:58:16 dc01 named[2096]: error (insecurity proof failed) resolving './NS/IN': 208.67.220.220#53 Feb 4 07:04:51 dc01 named[2096]: validating @0xb982c740: com SOA: got insecure response; parent indicates it should be secure Feb 4 07:04:51 dc01 named[2096]: error (no valid RRSIG) resolving 'microsoft.com/DS/IN': 208.67.222.222
#53 Feb
4 07:04:51 dc01 named[2096]: validating @0xb982c740: com SOA: got insecure response; parent indicates it should be secure Feb 4 07:04:51 dc01 named[2096]: error (no valid RRSIG) resolving 'microsoft.com/DS/IN': 208.67.220.220...
2019 Feb 13
3
DNSSEC Questions
...t; Key and must be resigning before the signature expires or they will no
> longer validate.
>
> Likewise, the other records in the zone must be resigned by your Zone
> Signing Key before their signatures expire.
> <snip>
> It's not the keys that are the issue, but the RRSIG record that
> contains a start and expiration time for the records.
>
> If you upload signed zone files to godaddy, make sure to resign once a
> week or so so that the RRSIG gets updated.
>
> man ldns-signzone
Okay so I misunderstood the message I was getting when I checked my...
2007 May 21
1
[PATCH] Add support for ldns
...struct rrsetinfo **res)
+{
+ int result; unsigned int i; unsigned int j;
+ struct rrsetinfo *rrset = NULL;
+
+ unsigned int index_ans; unsigned int index_sig;
+ struct rdatainfo *rdata;
+
+ ldns_resolver * ldns_res;
+ ldns_rdf * domain = NULL; ldns_pkt * pkt;
+ ldns_rr_list * rrsigs = NULL;
+ ldns_rr_list * rrdata = NULL;
+ ldns_status err;
+ ldns_rr * rr;
+
+ /* check for invalid class and type */
+ if (rdclass > 0xffff || rdtype > 0xffff) {
+ result = ERRSET_INVAL;
+ goto fail;
+ }
+
+ /* don't allow queries of class or type ANY */
+ if (rdclass...
2019 Feb 13
2
DNSSEC Questions
Last weekend I had my DNSSEC keys expire. I discovered that they had
expired the hard way... namely randomly websites could not be found and
email did not get delivered. It seems that the keys were only valid for
what I estimate was about 30 days. It is a real PITA to have update the
keys, restart named and then update Godaddy with new digests.
The first part of the problem is fairly
2019 Feb 13
0
DNSSEC Questions
...ning before the signature expires or they will no
>> longer validate.
>>
>> Likewise, the other records in the zone must be resigned by your Zone
>> Signing Key before their signatures expire.
>> <snip>
>> It's not the keys that are the issue, but the RRSIG record that
>> contains a start and expiration time for the records.
>>
>> If you upload signed zone files to godaddy, make sure to resign once a
>> week or so so that the RRSIG gets updated.
>>
>> man ldns-signzone
>
> Okay so I misunderstood the messag...
2018 Apr 30
0
Named log question
Is this mis-configuration, or just noise in my log?
??? 29-Apr-2018 00:50:26.056 general: warning: managed-keys-zone: No
DNSKEY RRSIGs found for '.': success: 1 Time(s)
??? 29-Apr-2018 00:50:26.120 general: warning: managed-keys-zone: No
DNSKEY RRSIGs found for 'dlv.isc.org': success: 1 Time(s)
-chuck
--
ACCEL Services, Inc.| Specialists in Gravity, Magnetics | (713)993-0671 ph.
| and...
2019 Feb 13
0
DNSSEC Questions
...I at least have the keys
> last longer than they do by default. I am presently creating the keys via:
>
> > dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE zone
>
> > dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE zone
It's not the keys that are the issue, but the RRSIG record that contains
a start and expiration time for the records.
If you upload signed zone files to godaddy, make sure to resign once a
week or so so that the RRSIG gets updated.
man ldns-signzone
It has switches for setting the start and expiration date of signatures.
By default I believe i...
2012 Jun 29
2
[Bug 2022] ssh segfaults when using ldns, SSHFP, a DNSSEC-enabled resolver and a CNAME
https://bugzilla.mindrot.org/show_bug.cgi?id=2022
--- Comment #2 from Darren Tucker <dtucker at zip.com.au> ---
Patch applied, thanks.
I still don't understand how it gets into this state since the space
should be allocated immediately beforehand:
if (rrset->rri_nsigs > 0) {
rrset->rri_sigs = calloc(rrset->rri_nsigs,
2013 Jul 10
0
Fwd: Re: nsd can't bind udp socket: Address already in use
...open autotrust file for writing, /usr/local/etc/unbound/root.key.705-0: Permission denied'
> When i run 'unbound-anchor -a /root.key' i get no complaining
> When i run ' +dnssec @127.0.0.1 ukuug.jpmens.org txt' i get the 'ad' flag. DNSSEC is validating with correct RRSIG.
> I know Rick answered me once already on this: But the fact that i validate DNSSEC with known good RRSIG would that mean its safe to ignore ? I think I did not quite get the meaning of the answer from Rick. My apologies for that :)
> I am also getting this message quite often
> '10/0...
2015 Jun 22
2
Small issue with DNSSEC / SSHFP
...ug.cgi?id=2119
However, in the mailing list archive I found:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2012-May/030443.html
(Just adding an 'anchor' line to /etc/resolv.conf solves that issue)
Finally, there is the issue that ldns relies on a DNSSEC aware resolver to
supply the RRSIG records. Note that the resolver doesn't have to be trusted,
it just has to pass the RRSIG records.
However, many CPEs are not DNSSEC aware, so that breaks the validation.
commit da3654f67293daffc913b87eb05eac098e462838
Author: Philip Homburg <philip at f-src.phicoh.com>
Date: Mon Jun...
2020 Mar 25
2
CentOS 6.10 bind DNSSEC issues
....com.dlv.isc.org/DLV)
25-Mar-2020 16:26:11.021 dnssec: info: validating @0xb1ec0030:
uk.yahoo.com AAAA: bad cache hit (uk.yahoo.com.dlv.isc.org/DLV)
Followed by;
25-Mar-2020 16:26:25.828 dnssec: info:?? validating @0xb48fdcd0:
dlv.isc.org NSEC: verify failed due to bad signature (keyid=64263):
RRSIG has expired
25-Mar-2020 16:26:25.828 dnssec: info:?? validating @0xb48fdcd0:
dlv.isc.org NSEC: no valid signature found
25-Mar-2020 16:29:05.075 dnssec: info: validating @0xb473dc48:
dlv.isc.org DNSKEY: verify failed due to bad signature (keyid=19297):
RRSIG has expired
25-Mar-2020 16:29:05.075...
2020 Mar 25
0
CentOS 6.10 bind DNSSEC issues
...1.021 dnssec: info: validating @0xb1ec0030:
> uk.yahoo.com AAAA: bad cache hit (uk.yahoo.com.dlv.isc.org/DLV)
>
> Followed by;
>
> 25-Mar-2020 16:26:25.828 dnssec: info:???????? validating @0xb48fdcd0:
> dlv.isc.org NSEC: verify failed due to bad signature (keyid=64263):
> RRSIG has expired
> 25-Mar-2020 16:26:25.828 dnssec: info:???????? validating @0xb48fdcd0:
> dlv.isc.org NSEC: no valid signature found
>
> 25-Mar-2020 16:29:05.075 dnssec: info: validating @0xb473dc48:
> dlv.isc.org DNSKEY: verify failed due to bad signature (keyid=19297):
> RRSIG...
2007 May 22
3
[Bug 1317] New: ssh uses obsolete SIG RRtype
...ent (id=1296)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1296)
Patch against CVS
ssh uses an obsolete RRtype to check for signatures on SSHFP records :
SIG (RRtype 24) is obsolete for RR signature records since RFC 3755
(see ?3 there). The minimal patch below fixes the problem by using
RRSIG (RRtype 46) instead.
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
2012 Jun 26
2
[Bug 2022] New: ssh segfaults when using ldns, SSHFP, a DNSSEC-enabled resolver and a CNAME
...You have SSHFP keys
- You attempt to connect through a CNAME (instead of the host name, see
attachment)
I have tracked the problem down to the file
openbsd-compat/getrrsetbyname-ldns.c
In function getrrsetbyname, when the DNS resolver sets the ad flags,
ssh doesn't allocate memory to contain RRSIG signatures. However it
still attempts to copy those signatures from the DNS answer. If
rrset->rri_sigs is null, rdata = &rrset->rri_sigs[0] is still null and
the signature is ignored later in the code. Luckily, most of the time,
you only have one signature and there is no problem. If you...
2019 Dec 27
0
bind problems
...al 2016121200)
27-Dec-2019 23:20:21.227 notify: info: zone ixsdns.de/IN: sending
notifies (serial 2018010102)
*27-Dec-2019 23:20:28.434 dnssec: info: validating ./NS: got insecure
response; parent indicates it should be secure*
27-Dec-2019 23:20:28.444 general: warning: managed-keys-zone: No DNSKEY
RRSIGs found for '.': success
27-Dec-2019 23:20:29.219 dnssec: info: validating ./NS: no valid
signature found
27-Dec-2019 23:20:29.714 dnssec: info:?? validating ./SOA: got insecure
response; parent indicates it should be secure
27-Dec-2019 23:20:29.957 dnssec: info: validating ./NS: no valid
si...
2013 Jul 10
4
nsd can't bind udp socket: Address already in use
Greetings,
Unbound 1.4.20
OS X 10.8.4 - Server
NSD 3.2.15
I have installed 'unbound' and it works nicely on my client (test
purpose) - Client is MacBook Air.
I have installed NSD (will be in replacement of BIND) on said client.
All is good but when i try to start NSD
Error --> nsd can't bind udp socket: address already in use.
Everything is configured to bind to 127.0.0.1.
#
2013 Jan 28
1
Featurerequest for nsd4
Hello Wouter,
We used tinydns for many years. After migration to nsd3 we miss only one feature present in tinydns only:
tinydns may switch addresses by decreasing the ttl for old data and serve new data
starting from a fixed timestamp.
http://cr.yp.to/djbdns/tinydns-data.html:
You may include a timestamp on each line. If ttl is nonzero (or omitted),
the timestamp is a starting time for the
2008 Mar 31
0
Announce: OpenSSH 4.9 released
...PLEMENTED packets did not correctly reset the client
keepalive logic, causing disconnections on servers that did not
explicitly implement "keepalive at openssh.com". (bz#1307)
- ssh(1) used the obsolete SIG DNS RRtype for host keys in DNS,
instead of the current standard RRSIG. (bz#1317)
- Extract magic buffer size constants in scp(1) to #defines.
(bz#1333)
- Correctly drain ACKs when a sftp(1) upload write fails midway,
avoids a fatal() exit from what should be a recoverable condition.
(bz#1354)
- Avoid pointer arithmetic and strict aliasing warn...