From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 1627 invoked by alias); 3 Oct 2014 15:06:56 -0000 Mailing-List: contact overseers-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: , Sender: overseers-owner@sourceware.org Received: (qmail 1611 invoked by uid 89); 3 Oct 2014 15:06:55 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.0 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.2 X-HELO: mail0.rbsov.bogons.net Received: from mail0.rbsov.bogons.net (HELO mail0.rbsov.bogons.net) (85.158.43.12) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 03 Oct 2014 15:06:54 +0000 Received: from [2001:4b10:0:1::135] (helo=virtual.bogons.net) by mail0.rbsov.bogons.net with esmtp (Exim 4.69) (envelope-from ) id 1Xa4RR-0007iQ-H4 for overseers@sourceware.org; Fri, 03 Oct 2014 16:06:51 +0100 Received: from jifvik.dyndns.org (jifvik.dyndns.org [85.158.45.40]) by virtual.bogons.net (8.10.2+Sun/8.11.2) with ESMTP id s93F6je20644 for ; Fri, 3 Oct 2014 16:06:45 +0100 (BST) Received: from shurg.barn.ecoscentric.com (unknown [87.127.120.188]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by jifvik.dyndns.org (Postfix) with ESMTP id B64163FE4; Fri, 3 Oct 2014 16:06:44 +0100 (BST) Message-ID: <542EBB82.3080102@jifvik.org> Date: Fri, 03 Oct 2014 15:06:00 -0000 From: Jonathan Larmour User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: Sourceware Overseers Subject: Re: dnssec for sourceware References: <20140712110154.GA12828@redhat.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Score: 1.3 X-Spam-Report: No, hits=1.3 required=5.0 tests=RDNS_NONE autolearn=disabled version=3.4.0 X-SW-Source: 2014-q4/txt/msg00001.txt.bz2 On 12/07/14 16:20, Ian Lance Taylor wrote: > On Sat, Jul 12, 2014 at 4:01 AM, Frank Ch. Eigler wrote: >> >> I believe sourceware.org is set up (with a third-party bind 9.9) >> with dnssec data locally. The registrar needs to add just these >> two records to their zone: >> >> sourceware.org. IN DS 1828 5 2 AC36913913EC104BB10588DF9AE6BE89281431300F28F6CC70A886FD2904B55C >> sourceware.org. IN DS 96 5 2 29219704D9D4FA42DB897CD82ACE824E73EDB3AD5B7FBDBCF07DA49B26C69C32 > > Thanks. I've installed those keys in the DNS registrar for > sourceware.org. I also made sure that the secondary name servers are > updated. [snip] I've had a report from a user that something isn't right here for ecos.sourceware.org and bugs.ecos.sourceware.org, with their BIND complaining about the lack of RRSIGs: > Oct 2 20:30:45 lapis named[689]: error (no valid RRSIG) resolving 'ecos.sourceware.org/DS/IN': 202.37.101.2#53 > Oct 2 20:30:45 lapis named[689]: error (no valid RRSIG) resolving 'ecos.sourceware.org/DS/IN': 202.37.101.1#53 > Oct 2 20:30:46 lapis named[689]: error (chase DS servers) resolving 'ecos.sourceware.org/DS/IN': 209.132.180.131#53 > Oct 2 20:30:47 lapis named[689]: error (no valid RRSIG) resolving 'ecos.sourceware.org/DS/IN': 71.133.8.30#53 > Oct 2 20:30:47 lapis named[689]: error (no valid RRSIG) resolving 'ecos.sourceware.org/DS/IN': 64.13.131.148#53 > Oct 2 20:30:47 lapis named[689]: error (no valid DS) resolving 'bugs.ecos.sourceware.org/A/IN': 202.37.101.1#53 > Oct 2 20:30:47 lapis named[689]: error (no valid DS) resolving 'bugs.ecos.sourceware.org/AAAA/IN': 202.37.101.1#53 They had to put in a workaround in their /etc/hosts file to get it to work. ecos.sourceware.org is just a CNAME for sourceware.org. bugs.ecos.sourceware.org is a CNAME for bugzilla.ecoscentric.com which doesn't have any DNSSEC. I assume it's just a case of someone adding RRSIGs for these two CNAMEs in sourceware.org? FAOD, according to http://tools.ietf.org/html/rfc2181#section-10 it's valid to have RRSIGs alongside CNAMEs. Jifl