Quarta-feira Fev 22, 2012
PowerDNS: SUPERMASTER
Vimos no post de replicação AXFR que cada slave deve ser configurado com os domínios na tabela domains, afinal temos que saber qual informação devemos buscar no master e o que não temos autoridade para responder.
Até algumas dezenas de domínios isso funciona muito bem, mas e quando temos mais de uma centena de domínios e eles são inseridos e removidos dinamicamente, como em um register de domínios. Por esse motivo que existem os supermasters no PowerDNS. Utilizando supermasters, apenas dizemos quem é o servidor ao qual devemos confiar e ele cria automaticamente a zona dentro das tabelas.
Configurando o supermaster
Primeira parte: habilitar o master, axfr no arquivo de configuração:
master=yes allow-axfr-ips=192.168.122.0/24 # now Ill use this range, its easier to me :-) # the easiest way to demonstrate things is configuring a sqlite3 database: # cat no-dnssec.schema.sqlite3.sql | sqlite3 pdnssec.sqlite3 # cat dnssec.schema.sqlite3.sql | sqlite3 pdnssec.sqlite3 # remember to check permissions launch=gsqlite3 gsqlite3-database=/var/lib/pdns/pdnssec.sqlite3 gsqlite3-dnssec=yes # avoid problems, configure this: local-address=192.168.122.100
O domínio para testes:
insert into domains (name, type) values ('example.com', 'MASTER');
insert into records (domain_id, name, type, content, ttl, auth) select id, 'example.com', 'SOA', 'ns1.example.com ze.example.com 2012022201 3600 600 1209600 3600', 3600, 1 from domains where name = 'example.com';
insert into records (domain_id, name, type, content, ttl, auth) select id, 'example.com', 'NS', 'ns1.example.com', 3600, 1 from domains where name = 'example.com';insert into records (domain_id, name, type, content, ttl, auth) select id, 'example.com', 'NS', 'ns2.example.com', 3600, 1 from domains where name = 'example.com';
insert into records (domain_id, name, type, content, ttl, auth) select id, 'ns1.example.com', 'A', '192.168.122.100', 3600, 1 from domains where name = 'example.com';
insert into records (domain_id, name, type, content, ttl, auth) select id, 'ns2.example.com', 'A', '192.168.122.101', 3600, 1 from domains where name = 'example.com';
Configurando o slave:
slave=yes allow-axfr-ips=192.168.122.0/24 # now Ill use this range, its easier to me :-) launch=gsqlite3 gsqlite3-database=/var/lib/pdns/pdnssec.sqlite3 gsqlite3-dnssec=yes # avoid problems, configure this: local-address=192.168.122.101
Configurando o banco de dados do slave:
insert into supermasters values ('192.168.122.100', 'ns1.example.com', 'superuser');
Descrição dos campos:
- ip: ip do supermaster (de qual ip receberemos o AXFR);
- nameserver: o nome do supermaster. É necessário que esse nome esteja dentro da lista dos NSs do domínio;
- Usuário: neste momento não existe autenticação para o supermasters, então é para fins de log
Assim que subir o master, a zona será transmitida para o slave, isso porque o PowerDNS procura domínios que estão como master e já coloca no fila de envio. Os logs do teste:
Master:
Feb 22 18:52:24 Reading random entropy from '/dev/urandom' Feb 22 18:52:24 This is a standalone pdns Feb 22 18:52:24 Listening on controlsocket in '/var/run/pdns.controlsocket' Feb 22 18:52:24 UDP server bound to 192.168.122.100:53 Feb 22 18:52:24 TCP server bound to 192.168.122.100:53 Feb 22 18:52:24 PowerDNS 3.0.1 (C) 2001-2011 PowerDNS.COM BV (Jan 10 2012, 16:28:34, gcc 4.4.3) starting up Feb 22 18:52:24 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2. Feb 22 18:52:24 Creating backend connection for TCP Feb 22 18:52:24 Master/slave communicator launching Feb 22 18:52:24 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:24 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:24 About to create 3 backend threads for UDP Feb 22 18:52:24 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:24 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:24 No new unfresh slave domains, 0 queued for AXFR already Feb 22 18:52:24 1 domain for which we are master needs notifications Feb 22 18:52:24 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:24 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:24 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:24 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:24 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:24 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:24 Done launching threads, ready to distribute questions Feb 22 18:52:25 Queued notification of domain 'example.com' to 192.168.122.100 Feb 22 18:52:25 Queued notification of domain 'example.com' to 192.168.122.101 Feb 22 18:52:25 Received NOTIFY for example.com from 192.168.122.100 but slave support is disabled in the configuration Feb 22 18:52:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:25 AXFR of domain 'example.com' initiated by 192.168.122.101 Feb 22 18:52:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:25 AXFR of domain 'example.com' to 192.168.122.101 finished Feb 22 18:52:26 Received unsuccessful notification report for 'example.com' from 192.168.122.100:53, rcode: 4 Feb 22 18:52:26 Removed from notification list: 'example.com' to 192.168.122.100:53 Feb 22 18:52:26 Removed from notification list: 'example.com' to 192.168.122.101:53 (was acknowledged) Feb 22 18:52:28 No master domains need notifications
Logs do slave:
Feb 22 18:51:25 Reading random entropy from '/dev/urandom' Feb 22 18:51:25 This is a standalone pdns Feb 22 18:51:25 Listening on controlsocket in '/var/run/pdns.controlsocket' Feb 22 18:51:25 UDP server bound to 192.168.122.101:53 Feb 22 18:51:25 TCP server bound to 192.168.122.101:53 Feb 22 18:51:25 PowerDNS 3.0.1 (C) 2001-2011 PowerDNS.COM BV (Jan 10 2012, 16:28:34, gcc 4.4.3) starting up Feb 22 18:51:25 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2. Feb 22 18:51:25 Creating backend connection for TCP Feb 22 18:51:25 Master/slave communicator launching Feb 22 18:51:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:51:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:51:25 About to create 3 backend threads for UDP Feb 22 18:51:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:51:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:51:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:51:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:51:25 No new unfresh slave domains, 0 queued for AXFR already Feb 22 18:51:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:51:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:51:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:51:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:51:25 Done launching threads, ready to distribute questions Feb 22 18:52:25 Received NOTIFY for example.com from 192.168.122.100 for which we are not authoritative Feb 22 18:52:25 Initiating transfer of 'example.com' from remote '192.168.122.100' Feb 22 18:52:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:25 Created new slave zone 'example.com' from supermaster 192.168.122.100, queued axfr Feb 22 18:52:25 AXFR started for 'example.com', transaction started Feb 22 18:52:25 AXFR done for 'example.com', zone committed
Supermasters e DNSSEC
Com DNSSEC, as coisas complicam um pouco. O supermaster não funciona corretamente, pois além de configurar os domínios, é necessário dizer que os registros são pré-assinados. Um bom contorno para essa situação é a criação de triggers dentro do banco de dados, para inserir automaticamente os metadados:
CREATE TRIGGER set_presigned AFTER INSERT ON domains FOR EACH ROW BEGIN INSERT INTO domainmetadata (domain_id, kind, content) VALUES (NEW.ID, 'PRESIGNED', '1'); END;
Como demonstração, apague os dados do slave e crie a trigger acima:
delete from records; delete from domains;
No master, assine a zona e notifique o slave:
pdnssec sign-zone example.com pdns_control notify-host example.com 192.168.122.101
O mesmo pode ser feito para o NSEC3, caso esteja configurado:
CREATE TRIGGER set_nsec3 AFTER INSERT ON domains FOR EACH ROW BEGIN INSERT INTO domainmetadata (domain_id, kind, content) VALUES (NEW.ID, 'NSEC3PARAM', '1 1 1 ab'); END;
Mais zonas
Não é vantagem nenhuma criar outras zonas e inserir novos registros na tabela supermasters, apesar de não ser tão inconveniente assim, mas é possível utilizar sempre o mesmo registro:
insert into domains (name, type) values ('example.net', 'MASTER');
insert into records (domain_id, name, type, content, ttl, auth) select id, 'example.net', 'SOA', 'ns1.example.com ze.example.net 2012022201 3600 600 1209600 3600', 3600, 1 from domains where name = 'example.net';
insert into records (domain_id, name, type, content, ttl, auth) select id, 'example.net', 'NS', 'ns1.example.com', 3600, 1 from domains where name = 'example.net';insert into records (domain_id, name, type, content, ttl, auth) select id, 'example.net', 'NS', 'ns2.example.net', 3600, 1 from domains where name = 'example.net';
insert into records (domain_id, name, type, content, ttl, auth) select id, 'ns2.example.net', 'A', '192.168.122.101', 3600, 1 from domains where name = 'example.net';
Note que o ns1 é o mesmo.
Posted at 07:13PM Fev 22, 2012 by ze in PowerDNS | Comments[0]
Domingo Fev 19, 2012
Detalhes técnicos
Upgrade de Tomcat, utilização da apr, testes do DANE utilizando o certificado desse domínio, virtualização que eu quebrei no meu desktop, são muitos os motivos de atraso de novos posts. Espero ter resolvido todos e também não deixar a minha mente criar novos antes de publicar pelo menos mais algumas coisas do PowerDNS.
Essa semana pretendo publicar algo sobre a configuração de supermasters e a utlização deste com DNSSEC
Posted at 10:40PM Fev 19, 2012 by ze in General | Comments[0]
Terça-feira Fev 14, 2012
Testando a chain de DNSSEC
Pensando em linha de comando, existem duas opções para validar a cadeia de DNSSEC: dig e drill.
Abaixo a linha de comando do drill
drill -S powerdns.benetasso.com -k /etc/trusted-key.key
;; Number of trusted keys: 1
;; Chasing: powerdns.benetasso.com. A
DNSSEC Trust tree:
powerdns.benetasso.com. (A)
|---benetasso.com. (DNSKEY keytag: 49720 alg: 8 flags: 256)
|---benetasso.com. (DNSKEY keytag: 53404 alg: 8 flags: 257)
|---benetasso.com. (DS keytag: 53404 digest type: 2)
| |---com. (DNSKEY keytag: 54350 alg: 8 flags: 256)
| |---com. (DNSKEY keytag: 30909 alg: 8 flags: 257)
| |---com. (DS keytag: 30909 digest type: 2)
| |---. (DNSKEY keytag: 51201 alg: 8 flags: 256)
| |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
|---benetasso.com. (DS keytag: 53404 digest type: 1)
|---com. (DNSKEY keytag: 54350 alg: 8 flags: 256)
|---com. (DNSKEY keytag: 30909 alg: 8 flags: 257)
|---com. (DS keytag: 30909 digest type: 2)
|---. (DNSKEY keytag: 51201 alg: 8 flags: 256)
|---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
;; Chase successful
O arquivo /etc/trusted-key.key, a "trusted key" foi instalada no momento que eu instalei o pacote bind-utils, onde vem o dig. A mesma coisa utilizando o dig:
dig +dnssec +sigchase zefacts.benetasso.com ;; RRset to chase: zefacts.benetasso.com. 247 IN CNAME powerdns.benetasso.com. ;; RRSIG of the RRset to chase: zefacts.benetasso.com. 247 IN RRSIG CNAME 8 3 3600 20120223000000 20120209000000 49720 benetasso.com. AZ0w9LNJbwGYqQwXe7jOgkmkqPJt06lUo+nikjD5Q6I9pkkDWd2sL5qj 0C48i0Sd9dSR1cXhuqbEwsY18NaqYQ8w/lNEfPzw9TGZZpMZxYixdbe+ awgKEfGPHTNDBDemcrWsnCeNJYcDsIDopTw0DkMYiKGdsZaQad8NLFSB W2ZuFU3jQOvEgSg/tPz7I1PABDPSnsfvp0bsDIDB/G/8aSS4cZI6QpfJ /mJegskfnVePyzHEU9k7ri/W2lCm+xka0q1ACdtNpHWksfy1hRO9HCJ2 6d23P1Y77AZ9vUXmy8dcVSefoAFZ8FHirU5cTWfJL6zSVd/K5wJadBG8 O1Es2A== Launch a query to find a RRset of type DNSKEY for zone: benetasso.com. ;; DNSKEYset that signs the RRset to chase: benetasso.com. 3567 IN DNSKEY 256 3 8 AwEAAZVczKqQ6iSv+arDk87aAqCrM13ckszy4+8hXaGCHXCKY+M1l2x3 VvrqHFNdqEJFGCCo86yWK0D+m7WAHngs7mCh80V0VtlcgLaNkpRdfQvi 0QyAsELlkuPS8jnwcLZlxWX0BAFma4QnYONIOMHLHGz6pBysvoxN+p6S khh4Br1aGHDYdAAD2CZURS0qARbedD0zHtnu66//yWakmhxfJhnzcUxf HdVi+1vxH97cckPGIb0thDMLzCWp0hL8DxKDtOEFf/YmfQl8tJD0Hb7F VVTnKfK7kY9xSwZ1DUc8eyD/zeTNFzffo0kwe64XTrCFkQik7b1bLBqs gp7uVFCX0Hs= benetasso.com. 3567 IN DNSKEY 257 3 8 AwEAAZXFXbYGTAPAPS276qxI16a5DRZEUasPdrWD98zgRwNxj5bwxbuQ ags9/fR6k+eGL4isGhib/VTYhiAk+lv2HKJZDJ9PVIjWiwLEPs3TwFhg 7vIuB4jr1zMLFmgfQH/HT0WDYS0/0kjlkMA3C9o9vc09M3MFz5XOATh6 IWf3V7N7NAUnPi1Fl593goIm4wF0l1DG1OWZyMOkZmx0uScpnemOu0UM bW0YhwVIWmFbbs+ZkBGDJ5TdQcQ+sy/9VM4JZrA9kTy1lPa6i2WIQ/G3 1W5U/kTdvlOBBk6UbS/fq8H2I9TiVXkYoUEmqEVL6WA965SOseVitGLT GY7LMMBJ5ME= ;; RRSIG of the DNSKEYset that signs the RRset to chase: benetasso.com. 3567 IN RRSIG DNSKEY 8 2 3600 20120223000000 20120209000000 53404 benetasso.com. RAFpNwFLQXWD6EDn/t4dNXOnnWxakfrlGGiN0LQYX9KHKKoSLBQZmj2V tvnlp7tSJqL5kloS4VyR7jJRVMgzvNUrZ08iYPyOOUBtdfb96HnH52f3 LNV6oHN8lbzxMrsWdHTo63bLEhS1SEa/t1YNVbOXXWBhARLQriBZc5rm m5rSQX3oIxKle3yyRZBD7gAUWDlVbzXH5AcXpm5xWtRA4jItdMO4tPsy emp1oDlWJx5J1JibiBoIoSEsKqG3wwW+Q6oUj3ZE97aXBpRc0C38XMQy O9OpvgUJR3nclQoSGD5dpV/u5JMD38wQBXDFs/jTK0pSptGxtZNDsjBS 96l1qg== Launch a query to find a RRset of type DS for zone: benetasso.com. ;; DSset of the DNSKEYset benetasso.com. 86368 IN DS 53404 8 2 2236E9BA6EB2651DE80758F9C90170C299A7B5D72D4E60166E6505C7 B7D987C9 benetasso.com. 86368 IN DS 53404 8 1 55164ED247F652EB0FA56ACF165E73ADC30AC385 ;; RRSIG of the DSset of the DNSKEYset benetasso.com. 86368 IN RRSIG DS 8 2 86400 20120221011820 20120214000820 54350 com. NpSbn8axzHFsOhVj1D9K1wN0CF8Oq1TSB14xfwxOD09RcrBMNd2Pp9YO J8/h57SQCckTQSfmAos5rbT2LXzd8CrGAnKzZC3AGBT/5aPAYjxT/pMN xs7pnL215+F3tT1q0ZG8d1iE9ji7dGHWQhTmnzDhP1ofggq7Bh1hKOll 6kU= ;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; VERIFYING CNAME RRset for zefacts.benetasso.com. with DNSKEY:49720: success ;; OK We found DNSKEY (or more) to validate the RRset ;; Now, we are going to validate this DNSKEY by the DS ;; OK a DS valids a DNSKEY in the RRset ;; Now verify that this DNSKEY validates the DNSKEY RRset ;; VERIFYING DNSKEY RRset for benetasso.com. with DNSKEY:53404: success ;; OK this DNSKEY (validated by the DS) validates the RRset of the DNSKEYs, thus the DNSKEY validates the RRset ;; Now, we want to validate the DS : recursive call Launch a query to find a RRset of type DNSKEY for zone: com. ;; DNSKEYset that signs the RRset to chase: com. 86368 IN DNSKEY 256 3 8 AQO+/56uGUHXvOkjGGlaY9IVCOwv55QfC4NXezPHQKg9zexkHifvAHvS cV8/Yx23mk7GYh12ZkPjWz2GZyqG4aLlCMWorT5iLHFFcPcAmBV5DgCa tGF186Kt/u2/gIDrLQVrOO7zsabIsQds4bh/n1cNXm+xpN29KMtRYNvD BFUWBw== com. 86368 IN DNSKEY 257 3 8 AQPDzldNmMvZFX4NcNJ0uEnKDg7tmv/F3MyQR0lpBmVcNcsIszxNFxsB fKNW9JYCYqpik8366LE7VbIcNRzfp2h9OO8HRl+H+E08zauK8k7evWEm u/6od+2boggPoiEfGNyvNPaSI7FOIroDsnw/taggzHRX1Z7SOiOiPWPN IwSUyWOZ79VmcQ1GLkC6NlYvG3HwYmynQv6oFwGv/KELSw7ZSdrbTQ0H XvZbqMUI7BaMskmvgm1G7oKZ1YiF7O9ioVNc0+7ASbqmZN7Z98EGU/Qh 2K/BgUe8Hs0XVcdPKrtyYnoQHd2ynKPcMMlTEih2/2HDHjRPJ2aywIpK Nnv4oPo/ ;; RRSIG of the DNSKEYset that signs the RRset to chase: com. 86368 IN RRSIG DNSKEY 8 1 86400 20120218192533 20120211192033 30909 com. v5YwO2Gs8O1sFlPF5v+CJA3yUyjQDmojKfBNzmMO7bt7KRqb5CfEMJ0Y LiSgi1LokC6IrRlQWZeiHRVkNcCs0rxRT4uq83SaKztwE4oyI+ZxyO60 W+iDMaIJjyV1P+DAlbBcRdhyH76srlIB29oOYJ6hJrBAmut16ZX5+5ne YTWiBDxcuPVGH5Q0VUe5X+dgacqkk/tvJ9zzTEvWRu9oEdgfGVCpsMQZ YjrHSaRTjJlbtaD/6Fy69G3I+sr444L+DS1SYNm9nDDh65UsW4/GPX68 5UjNO+F1yJIXX1anSx1zHr3XTb1WEfxPXRRAY7R6REi+YbmRtXQsUT5k YOpvIA== Launch a query to find a RRset of type DS for zone: com. ;; DSset of the DNSKEYset com. 86368 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 ;; RRSIG of the DSset of the DNSKEYset com. 86368 IN RRSIG DS 8 1 86400 20120221000000 20120213230000 51201 . VfwLUMXcOfc1+AWXqubGQE4NXoYaMTKLnjk2RWfkrfKQA6P75UoM31Ep +imnE60Fo2ZO07cXXhMOCZJzNBnXb8zUzVprY3xeeqCn9tj3gSIiaTyd M4G/tsy0U7fGXcgEOvIw8q09Ol7cvNyImA8nvGF3L2TrF2zrm0JqbKlm jv8= ;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; VERIFYING DS RRset for benetasso.com. with DNSKEY:54350: success ;; OK We found DNSKEY (or more) to validate the RRset ;; Now, we are going to validate this DNSKEY by the DS ;; OK a DS valids a DNSKEY in the RRset ;; Now verify that this DNSKEY validates the DNSKEY RRset ;; VERIFYING DNSKEY RRset for com. with DNSKEY:30909: success ;; OK this DNSKEY (validated by the DS) validates the RRset of the DNSKEYs, thus the DNSKEY validates the RRset ;; Now, we want to validate the DS : recursive call Launch a query to find a RRset of type DNSKEY for zone: . ;; DNSKEYset that signs the RRset to chase: . 172768 IN DNSKEY 256 3 8 AwEAAZ/NErKzyMlImJ+2HTmK9qeH2sLUywlsF+mJbTP5GKoYFHoU2vn2 Zqr261Lk7a6jfBKYny5GX7BDRJcVvig36TgOinE9QP5KVS0RxdrOl98g KLwFMORfNf/wjCwjPdEl1GgaGYl0npJ4c+x+o6aa/xmDKJo9zUlpvb7B LxbJ7HwF . 172768 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= ;; RRSIG of the DNSKEYset that signs the RRset to chase: . 172768 IN RRSIG DNSKEY 8 0 172800 20120224235959 20120210000000 19036 . mscTKQHP565VvCXdb3XbvTGevcAq7XzsrPgBoWSm6nknsDuxNZnFQAN7 qKRFFnYMXEYaAAe3WBFg874rFG0fpOKL1QpvlLvAVwtWcAe+gVhRTkfR qt3dC8V+9xyRVFRY4NYz2KBnmOnQj+ahgarHP8Ymf2akPoUDhHQleO/z 8U3Vr+P9p5gNN+3rt3WKinjsf/p/L5Tfu0d2ZwC2Tqtd0sD0RDtA+ZXC JLTsIRF9Lz/CqNRYtUra3Pu2u8mX5X9Np+88s4CX1yXFZM0RvjeSbdwy wb0dbUQv9YLP5ENp7O5JdhcYVU87g3tFwZ7KZqiUyN8N8HEcgvzWefoy YzKBbw== Launch a query to find a RRset of type DS for zone: . ;; NO ANSWERS: no more ;; WARNING There is no DS for the zone: . ;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; VERIFYING DS RRset for com. with DNSKEY:51201: success ;; OK We found DNSKEY (or more) to validate the RRset ;; Ok, find a Trusted Key in the DNSKEY RRset: 19036 ;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS
e com essas linhas longas, preciso melhorar a stylesheet do meu blog...
Posted at 08:44AM Fev 14, 2012 by ze in PowerDNS | Comments[1]
Domingo Fev 05, 2012
benetasso.com agora com DNSSEC
Não fazia muito sentido falar em DNSSEC em um domínio que não estava utilizando ele. Problema corrigido: http://dnscheck.iis.se/
Posted at 08:38PM Fev 05, 2012 by ze in PowerDNS | Comments[0]