无法将 DNSKEY 发布到 dlv.isc.org

tag-icon tag-icon ubuntu domain-name-system dnssec
无法将 DNSKEY 发布到 dlv.isc.org

尝试让 DNSSEC 为区域工作。

软件:BIND 9.4.2-P2,操作系统Ubuntu 8.04

尝试使用以下方式签署区域区域签名者并将其发布到 dlv.isc.org,但它抱怨密钥丢失。使用 dig dnskey 时会显示密钥。域名是 kristaps.lv

确切的错误信息

3.138:DEBUG RUN GET_ADDRESSES: Sending a recursive query for mazais.kristaps.lv A
3.532:DEBUG RUN GET_ADDRESSES: Got response for recursive query mazais.kristaps.lv A NOERRO R
3.533:DEBUG RUN GET_ADDRESSES: Caching address for mazais.kristaps.lv => 92.240.80.54
3.725:DEBUG RUN: Enqueued query 7 to 92.240.80.54 for kristaps.lv DNSKEY
3.725:DEBUG RUN: Got activity for 2, from 92.240.70.1
3.725:DEBUG RUN: Got referral
3.726:DEBUG RUN: kristaps.lv. 1800 IN NS mazais.kristaps.lv
3.727:DEBUG RUN: Already have 92.240.80.54 queued
3.727:DEBUG RUN: Got activity for 3, from 194.0.1.24
3.727:DEBUG RUN: Got referral
3.728:DEBUG RUN: kristaps.lv. 1800 IN NS mazais.kristaps.lv
3.729:DEBUG RUN: Already have 92.240.80.54 queued
3.729:DEBUG RUN: Got activity for 4, from 83.171.8.137
3.729:DEBUG RUN: Got referral
3.730:DEBUG RUN: kristaps.lv. 1800 IN NS mazais.kristaps.lv
3.730:DEBUG RUN: Already have 92.240.80.54 queued
3.730:DEBUG RUN: Got activity for 5, from 193.0.12.121
3.730:DEBUG RUN: Got referral
3.731:DEBUG RUN: kristaps.lv. 1800 IN NS mazais.kristaps.lv
3.732:DEBUG RUN: Already have 92.240.80.54 queued
3.732:DEBUG RUN: Got activity for 6, from 192.36.125.2
3.732:DEBUG RUN: Got referral
3.733:DEBUG RUN: kristaps.lv. 1800 IN NS mazais.kristaps.lv
3.733:DEBUG RUN: Already have 92.240.80.54 queued
4.223:DEBUG RUN: Got activity for 7, from 92.240.80.54
4.223:DEBUG RUN: Found answer from 92.240.80.54
4.227:SUCCESS 92.240.80.54 answered DNSKEY query with rcode NOERROR
4.227:INFO Total answers: 1
4.228:SUCCESS All DNSKEY responses are identical.
4.236:DEBUG VERIFY-DNSKEY: Checking tag=32656 flags=257 alg=RSASHA1 AwEAAcAo...Qbb+6aKYw8=
4.236:DEBUG VERIFY-DNSKEY: Accepted key.
4.237:DEBUG VERIFY-DNSKEY: Checking tag=58348 flags=257 alg=RSASHA1 AwEAAZbV...HzR2UTmRw0=
4.237:DEBUG VERIFY-DNSKEY: Ignoring key.
4.237:DEBUG VERIFY-DNSKEY: Checking tag=41748 flags=256 alg=RSASHA1 AwEAAeJC...u4rnFt63+RV
4.238:DEBUG VERIFY-DNSKEY: Ignoring key.
4.238:DEBUG VERIFY-DNSKEY: Checking tag=64185 flags=256 alg=RSASHA1 AwEAAZ/S...x8pRgin/Vq5
4.238:DEBUG VERIFY-DNSKEY: Ignoring key.
4.238:DEBUG VERIFY-DNSKEY: Checking tag=21258 flags=256 alg=RSASHA1 AwEAAdlD...3Nv3HgYux4D
4.238:DEBUG VERIFY-DNSKEY: Ignoring key.
4.238:INFO VERIFY-DNSKEY: 5 DNSKEYs found.
4.239:INFO VERIFY-DNSKEY: 1 keys found after filtering.
4.239:DEBUG VERIFY-DNSKEY: Using keys:
4.239:DEBUG VERIFY-DNSKEY: tag=32656 flags=257 alg=RSASHA1 AwEAAcAo...Qbb+6aKYw8=
4.239:DEBUG VERIFY-DNSKEY: To verify rrset type DNSKEY
4.242:FAILURE DNSKEY signature verification failed: Signing key not found

答案1

看起来您已尝试将 id=32656 的 KSK 添加到 DLV,但您仅使用 KSK 58348 对该区域进行签名。

您需要将正确的密钥添加到 DLV(id=58348)或使用 id=32656 来签署 DNSKEY RRSET。

相关内容