DNSSEC 签名正确,但没有链接到可信密钥或 ds 记录

DNSSEC 签名正确,但没有链接到可信密钥或 ds 记录

操作系统是 FreeBSD-13.0p1

DNS 绑定名称为 9.16.24

我们已经使用 DNSSEC 有一段时间了。事实上,它已经过去很久了,我已经忘记了设置它的大部分内容。尽管如此,它一直运行良好。Verisign 的 DNSSEC 分析器显示我们的域名全部为绿色:harte-lyne.ca 的 Verisign DNSSEC 分析器

然而,我们最近将隐藏主控从 9.11 更新到 9.16,这导致了一些明显的问题。我目前正在调查的是:

# drill -TD harte-lyne.ca
  Warning: No trusted keys were given. Will not be able to verify authenticity!
  ;; Domain: .
  ;; Signature ok but no chain to a trusted key or ds record

现在,当我更深入地观察这个问题时,我发现:

dig @216.185.71.33 harte-lyne.ca. DNSKEY +dnssec +cd +multiline

; <<>> DiG 9.16.24 <<>> @216.185.71.33 harte-lyne.ca. DNSKEY +dnssec +cd +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4548
;; flags: qr aa rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 6e5f2f0f43c272af82b6a8fa61f1acfba4e9ffd72a5f8524 (good)
;; QUESTION SECTION:
;harte-lyne.ca.     IN DNSKEY

;; ANSWER SECTION:
harte-lyne.ca.      172800 IN DNSKEY 256 3 8 (
                AwEAAeM4vn7SdTaVZi7HFuCCpAx/6/ZkEexKZqECM6lg
                99WlsEZH1kEzo1MMyoxOEdVfRkVRv1GLPrC8mD8pagfA
                UfT6ZGOIH8JemmOwPEWeZ3Vp/6TbC236rZHnQaHQRTUA
                /DY6WE2G6TzCR2gDzJOY1DAGtZrWBCk6J9JIOmWO1cPK
                9cAtMRPeKLWcchR5sItPIkcHVk3ngWRIQviSyOdCk60=
                ) ; ZSK; alg = RSASHA256 ; key id = 26685
harte-lyne.ca.      172800 IN DNSKEY 257 3 8 (
                AwEAAc3jgHIGtS3TVg7veoyTo0lsAcrgeS/CwmuJ+BUr
                y4dv6lQgPtE0KkTh4m6uLXb+uj4frR36KO7sQr+8o+U1
                LU8CYynx2ENbc8kjNZqYYc5qjMRIWvXTn4V3b7V8lVzi
                /Epd/qly9caMp70UThmaKbGuCHUrEDRT9ejXUqQ3P63c
                T2JhRxZjRh/a5MO+vlmVx69UG/qWcgjpu10V0IGM5BlS
                q8dno3JniI1vRQtQ+DSqete2cv2+suUJOi9GnwLc5r+G
                eCezGZxx40xRS7gBaSPmOG/GkOge88a7zypCDR/nCW2X
                N0/yoN8qT56sMSSp/CZsBsvD/FOkdE9MmHcnYI8=
                ) ; KSK; alg = RSASHA256 ; key id = 37852
harte-lyne.ca.      172800 IN RRSIG DNSKEY 8 2 172800 (
                20220221141715 20220117132408 26685 harte-lyne.ca.
                qzSWd1gKlCgENijT4VjuNmTlMtSO4WOauCxBG99S61Ss
                aXkO5xEPiPM5sazRKzb7DWSmFGqkEEeIrJKYqXn8+/12
                zPfvvDDM6JxgtmOsQ/exmkhha2BtCKvPO9XhxbDxi0IJ
                UoJTUJXWJrV1JUimY96d6OSnsNIWEKzVwLck7Gum19UO
                84sR6doatGHuVx9v3LoQ/Cchn4oyqCByG3P3bg== )
harte-lyne.ca.      172800 IN RRSIG DNSKEY 8 2 172800 (
                20220221141715 20220117132408 37852 harte-lyne.ca.
                Q55CfRTJEDGy1d63ACaroIwR+iQIplb+A/rGw5j7/hWc
                vw8vU/daNXCSnK3FM+1DDyRS1g6y64hVoUrX0VD38CZH
                ExMMnoE1cV+20BdQvpZ+J1AFcKEFPq2kTUL0JVE3mN3V
                C3TtOzi8FnsEkbcK+QnE+jAUxFXxoycAPtZaSlx+u83W
                VHc6olkDg8kRY2WRh3GSgx2uA5v/CZ0zlTPysJNNU8mY
                IYhrAJHWyNyVlyTfsMY5ZtRTkwLQCbxFGHf/XHBXTjBS
                n64Kl8RoDT8+zPIsNlMjldbtHSKtuy+X8AMg8gzdCqnH
                sZomruKsaXl45wlA/BLWPm6fvTRhv2pJMA== )

DS 记录似乎是正确的。那么,我的问题是什么?这是 bind-9.16 的配置问题吗?我错过了设置 DNSSEC 的机会吗?

named.conf 包含以下内容:

  // dnssec setup
  //dnssec-enable yes;            // enable - obsolete s of v9.16
  // dnssec keys directory:
  //managed-keys-directory "/usr/local/etc/namedb/master/";
  key-directory "/usr/local/etc/namedb/master/";
  //dnssec-validation yes;        // for recursive servers
  dnssec-validation auto;       // for recursive servers and key rollovers
//  dnssec-lookaside auto;        // defunct Enable DLV and use built-in key
                                  // see /etc/named.iscdlv.key
  // dnssec-accept-expired no;
  // dnssec-must-be-secure yes; 
  sig-validity-interval 35 16;  // expiry 35 days; resign commencing 35 -16 days

. . .

  zone "harte-lyne.ca" {
  type master;
    masterfile-format text;
//    file "/usr/local/etc/namedb/master/harte-lyne.ca.hosts";
    file "/usr/local/etc/namedb/signtest/harte-lyne.ca.hosts";
    key-directory "/usr/local/etc/namedb/master/";
    auto-dnssec maintain;
    inline-signing yes;
  };
  . . .

如果我在命令行上提供一个受信任的密钥,那么我仍然会收到以下消息:Signature ok but no chain to a trusted key or ds record

drill -k /usr/local/etc/namedb/signtest/Kharte-lyne.ca.+008+37852.key -TD harte-lyne.ca
;; Number of trusted keys: 1
;; Domain: .
;; Signature ok but no chain to a trusted key or ds record
[S] . 172800 IN DNSKEY 256 3 8 ;{id = 9799 (zsk), size = 2048b}
. 172800 IN DNSKEY 257 3 8 ;{id = 20326 (ksk), size = 2048b}
Checking if signing key is trusted:
New key: .  172800  IN  DNSKEY  256 3 8 AwEAAZym4HCWiTAAl2Mv1izgTyn9sKwgi5eBxpG29bVlefq/r+TGCtmUElvFyBWHRjvf9mBglIlTBRse22dvzNOI+cYrkjD6LOHuxMoc/d4WtXWKdviNmrtWF2GpjmDOI98gLd4BZ0U/lY847mJP9LypFABZcEn3zM3vce4Ee1A3upSlFQ2TFyJSD9HvMnP4XneFexBxV96RpLcy2O+u2W6ChIiDCjlrowPCcU3zXfXxyWy/VKM6TOa8gNf+aKaVkcv/eIh5er8rrsqAi9KT8O5hmhzYLkUOQEXVSRORV0RMt9l3JSwWxT1MebEDvtfBag3uo+mZwWSFlpc9kuzyWBd72Ec= ;{id = 9799 (zsk), size = 2048b}
    Trusted key: harte-lyne.ca. 3600    IN  DNSKEY  257 3 8 AwEAAc3jgHIGtS3TVg7veoyTo0lsAcrgeS/CwmuJ+BUry4dv6lQgPtE0KkTh4m6uLXb+uj4frR36KO7sQr+8o+U1LU8CYynx2ENbc8kjNZqYYc5qjMRIWvXTn4V3b7V8lVzi/Epd/qly9caMp70UThmaKbGuCHUrEDRT9ejXUqQ3P63cT2JhRxZjRh/a5MO+vlmVx69UG/qWcgjpu10V0IGM5BlSq8dno3JniI1vRQtQ+DSqete2cv2+suUJOi9GnwLc5r+GeCezGZxx40xRS7gBaSPmOG/GkOge88a7zypCDR/nCW2XN0/yoN8qT56sMSSp/CZsBsvD/FOkdE9MmHcnYI8= ;{id = 37852 (ksk), size = 2048b}
[S] ca. 86400 IN DS 48662 8 2 b88605073ae242e4917a795ada1eac2580c0fa9d622b228926fecb408b41c3f9 
;; Domain: ca.
;; Signature ok but no chain to a trusted key or ds record
[S] ca. 3600 IN DNSKEY 256 3 8 ;{id = 44701 (zsk), size = 1024b}
ca. 3600 IN DNSKEY 257 3 8 ;{id = 48662 (ksk), size = 2048b}
Checking if signing key is trusted:
New key: ca.    3600    IN  DNSKEY  256 3 8 AwEAAbruLK3Va5bcTantM/kP0F3QPZ75W4ws0QEbxBy7mrZSPh4Hu0t4wSplH8AG+mMfPIf6+rKyEFEQnRtDXv2ChAzL0un8CVbA5iFKQGe+V7Mi7mh0hFFENquM1Z/sC0HrY5JJCe0urXI4PBvo20ilHgzt7SljIWFrmeRvaFC+OM4J ;{id = 44701 (zsk), size = 1024b}
    Trusted key: harte-lyne.ca. 3600    IN  DNSKEY  257 3 8 AwEAAc3jgHIGtS3TVg7veoyTo0lsAcrgeS/CwmuJ+BUry4dv6lQgPtE0KkTh4m6uLXb+uj4frR36KO7sQr+8o+U1LU8CYynx2ENbc8kjNZqYYc5qjMRIWvXTn4V3b7V8lVzi/Epd/qly9caMp70UThmaKbGuCHUrEDRT9ejXUqQ3P63cT2JhRxZjRh/a5MO+vlmVx69UG/qWcgjpu10V0IGM5BlSq8dno3JniI1vRQtQ+DSqete2cv2+suUJOi9GnwLc5r+GeCezGZxx40xRS7gBaSPmOG/GkOge88a7zypCDR/nCW2XN0/yoN8qT56sMSSp/CZsBsvD/FOkdE9MmHcnYI8= ;{id = 37852 (ksk), size = 2048b}
[S] harte-lyne.ca. 86400 IN DS 34011 8 1 4d8a16b5fe3dbfafe3de6d9631d5e17bc5264daf 
harte-lyne.ca. 86400 IN DS 37852 8 2 263785e078032bb2c961a8d2c8a5f76477db388ecac46bf7299f88e6368f3c49 
harte-lyne.ca. 86400 IN DS 37852 8 1 25f0408ace2e07f38fcb5c04bcb80a542eab59ee 
;; Domain: harte-lyne.ca.
[T] harte-lyne.ca. 172800 IN DNSKEY 256 3 8 ;{id = 26685 (zsk), size = 1280b}
harte-lyne.ca. 172800 IN DNSKEY 257 3 8 ;{id = 37852 (ksk), size = 2048b}
[T] harte-lyne.ca.  172800  IN  A   216.185.71.110
;;[S] self sig OK; [B] bogus; [T] trusted

这肯定是配置问题。我遗漏了什么?

答案1

我收到这些消息是因为我没有向drill公用事业公司提供信任锚。必须提供信任锚才能确定响应的真实性。

该命令应该是:drill -DT -k ./root_dnssec_key harte-lyne.ca 这不会产生警告。root_dnssec_key 的内容为:

. 170443 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwV N8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=;{id = 20326 (ksk), size = 2048b}

可以使用以下方法直接从根服务器获取drilldrill . dnskey | grep -e '^\.' | grep 257 > root_dnssec_key

相关内容