dnssec for sourceware

dnssec for sourceware

[Frank Ch. Eigler]

[-- Attachment #1: Type: text/plain, Size: 362 bytes --]

Hi -

I believe sourceware.org is set up (with a third-party bind 9.9)
with dnssec data locally.  The registrar needs to add just these
two records to their zone:

sourceware.org. IN DS 1828 5 2 AC36913913EC104BB10588DF9AE6BE89281431300F28F6CC70A886FD2904B55C
sourceware.org. IN DS 96 5 2 29219704D9D4FA42DB897CD82ACE824E73EDB3AD5B7FBDBCF07DA49B26C69C32

- FChE

[-- Attachment #2: Type: application/pgp-signature, Size: 827 bytes --]

Re: dnssec for sourceware

[Ian Lance Taylor]

On Sat, Jul 12, 2014 at 4:01 AM, Frank Ch. Eigler <fche@redhat.com> wrote:
>
> I believe sourceware.org is set up (with a third-party bind 9.9)
> with dnssec data locally.  The registrar needs to add just these
> two records to their zone:
>
> sourceware.org. IN DS 1828 5 2 AC36913913EC104BB10588DF9AE6BE89281431300F28F6CC70A886FD2904B55C
> sourceware.org. IN DS 96 5 2 29219704D9D4FA42DB897CD82ACE824E73EDB3AD5B7FBDBCF07DA49B26C69C32

Thanks.  I've installed those keys in the DNS registrar for
sourceware.org.  I also made sure that the secondary name servers are
updated.

When I try http://dnssec-debugger.verisignlabs.com/sourceware.org to
test it, it reports "No RRSIGs found".  I'm not sure whether that is
an issue with the secondary name servers (which are running djbdns) or
whether something else is wrong.

Ian

Re: dnssec for sourceware

[Jonathan Larmour]

On 12/07/14 16:20, Ian Lance Taylor wrote:
> On Sat, Jul 12, 2014 at 4:01 AM, Frank Ch. Eigler <fche@redhat.com> wrote:
>>
>> I believe sourceware.org is set up (with a third-party bind 9.9)
>> with dnssec data locally.  The registrar needs to add just these
>> two records to their zone:
>>
>> sourceware.org. IN DS 1828 5 2 AC36913913EC104BB10588DF9AE6BE89281431300F28F6CC70A886FD2904B55C
>> sourceware.org. IN DS 96 5 2 29219704D9D4FA42DB897CD82ACE824E73EDB3AD5B7FBDBCF07DA49B26C69C32
> 
> Thanks.  I've installed those keys in the DNS registrar for
> sourceware.org.  I also made sure that the secondary name servers are
> updated.
[snip]

I've had a report from a user that something isn't right here for
ecos.sourceware.org and bugs.ecos.sourceware.org, with their BIND
complaining about the lack of RRSIGs:

> Oct  2 20:30:45 lapis named[689]: error (no valid RRSIG) resolving 'ecos.sourceware.org/DS/IN': 202.37.101.2#53
> Oct  2 20:30:45 lapis named[689]: error (no valid RRSIG) resolving 'ecos.sourceware.org/DS/IN': 202.37.101.1#53
> Oct  2 20:30:46 lapis named[689]: error (chase DS servers) resolving 'ecos.sourceware.org/DS/IN': 209.132.180.131#53
> Oct  2 20:30:47 lapis named[689]: error (no valid RRSIG) resolving 'ecos.sourceware.org/DS/IN': 71.133.8.30#53
> Oct  2 20:30:47 lapis named[689]: error (no valid RRSIG) resolving 'ecos.sourceware.org/DS/IN': 64.13.131.148#53
> Oct  2 20:30:47 lapis named[689]: error (no valid DS) resolving 'bugs.ecos.sourceware.org/A/IN': 202.37.101.1#53
> Oct  2 20:30:47 lapis named[689]: error (no valid DS) resolving 'bugs.ecos.sourceware.org/AAAA/IN': 202.37.101.1#53

They had to put in a workaround in their /etc/hosts file to get it to
work. ecos.sourceware.org is just a CNAME for sourceware.org.
bugs.ecos.sourceware.org is a CNAME for bugzilla.ecoscentric.com which
doesn't have any DNSSEC.

I assume it's just a case of someone adding RRSIGs for these two CNAMEs in
sourceware.org? FAOD, according to
http://tools.ietf.org/html/rfc2181#section-10 it's valid to have RRSIGs
alongside CNAMEs.

Jifl