Root Zone DNSSEC Deployment Technical Status Update

Thu May 20 15:33:47 UTC 2010

I am having this problem now:

# dnssec-signzone -N INCREMENT mydomain.org
Verifying the zone using the following algorithms: RSASHA1.
Missing RSASHA1 signature for . NSEC
The zone is not fully signed for the following algorithms: RSASHA1.
dnssec-signzone: fatal: DNSSEC completeness test failed.

What could be wrong ....

I have followed these steps:

OS = centos 5.4 with bind-9.6.2-3.P1

dnssec-keygen -a RSASHA1 -b 1024 -n ZONE mydomain.org
dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE mydomain.org
cat Kmydomain.org.+005+*.key >> mydomain.org
dnssec-signzone -N INCREMENT mydomain.org

Thanks
-dani

On Sun, May 16, 2010 at 11:52 AM, Rubens Kuhl <rubensk at gmail.com> wrote:

> You probably need a trust anchor as well.
> See http://ftp.isc.org/isc/pubs/tn/isc-tn-2006-1.html.
>
> Rubens
>
>
> On Sun, May 16, 2010 at 3:14 PM, itservices88 <itservices88 at gmail.com>
> wrote:
> > Hi,
> >
> > I was building a test domain for trying out the dnssec. However as
> mentioned
> > on various websites "ad" appears in the flags, but i can't see it. The
> > domain i am using is not real and i am testing from the same machine,
> > Fedora-12. Any help?
> >
> > Thanks
> >
> >
> > options {
> >        dnssec-enable yes;
> >        dnssec-validation yes;
> > };
> >
> > [root at ns1 named-data]# dig +dnssec @localhost www
> > ; <<>> DiG 9.6.2-P1-RedHat-9.6.2-3.P1.fc12 <<>> +dnssec @localhost www
> > ; (2 servers found)
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16601
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags: do; udp: 4096
> > ;; QUESTION SECTION:
> > ;www.                           IN      A
> > ;; AUTHORITY SECTION:
> > .                       5221    IN      SOA     a.root-servers.net.
> > nstld.verisign-grs.com. 2010051600 1800 900 604800 86400
> > .                       5221    IN      RRSIG   SOA 8 0 86400
> 20100523070000
> > 20100516060000 55138 .
> > KTwve6TiQ6ShXCfEcbYusFWOCsx+IwCUumBr4GnwnNq1eqs7tqQaHqkJ
> > T/ewcvjXvRGOmHjhGRgqkdESse+/fa+tz1sSdvMsTGGI2Ba9/Fbb43Ty
> > eqsG5cFxbqfXOpwlA4ab9IR2Vkod6genONeYO6rrm2edNwQrf56wrtJr CNM=
> > .                       5221    IN      RRSIG   NSEC 8 0 86400
> > 20100523070000 20100516060000 55138 .
> > uIgAQvJUyLjAPwb7zB8wcJ4wk++21g+iF/bJGlpvz4iUJOMwkPgqA2s/
> > A8W0MhxBjo7918xg6yJeqYwXB+rGG14F7UZfOBVlXIqno5/kXzi4Carh
> > /8sulBMyHbFmVlOht5SLU230ROaI6+4o0B6IRyiP5Vzgjt00zyFu26Rg Yb8=
> > .                       5221    IN      NSEC    ac. NS SOA RRSIG NSEC
> DNSKEY
> > ws.                     5221    IN      RRSIG   NSEC 8 1 86400
> > 20100523070000 20100516060000 55138 .
> > KsvM0PTDqWt0yoJNZ4k1UGTw0UtJZxsZa17bDHAyY7w1eocZlCqGJNd8
> > 2/WDeJMfCkM+MakJLblnixlI6QcNYV6ctrKZkNuA/iX2rwapouVYoC7G
> > HxvBLnb5TFWkCML+fhgOWza8RmRnCTY593uBgsPtcgEfTZAzYB+QFCEP 6oI=
> > ws.                     5221    IN      NSEC    æµè¯. NS RRSIG NSEC
> > ;; Query time: 11 msec
> > ;; SERVER: 127.0.0.1#53(127.0.0.1)
> > ;; WHEN: Sun May 16 11:02:43 2010
> > ;; MSG SIZE  rcvd: 641
> >
> > ===============================================================
> > On Wed, May 5, 2010 at 2:23 PM, Joe Abley <joe.abley at icann.org> wrote:
> >
> >> Root Zone DNSSEC Deployment
> >> Technical Status Update 2010-05-05
> >>
> >> This is the sixth of a series of technical status updates intended
> >> to inform a technical audience on progress in signing the root zone
> >> of the DNS.
> >>
> >>
> >> **  The final transition to a signed root zone took place today
> >> **  on J-Root, between 1700--1900 UTC.
> >> **
> >> **  All root servers are now serving a signed root zone.
> >> **
> >> **  All root servers will now generate larger responses to DNS
> >> **  queries that request DNSSEC information.
> >> **
> >> **  If you experience technical problems or need to contact
> >> **  technical project staff, please send e-mail to rootsign at icann.org
> >> **  or call the ICANN DNS NOC at +1 310 301 5817, e-mail preferred
> >> **  if possible.
> >> **
> >> **  See below for more details.
> >>
> >>
> >> RESOURCES
> >>
> >> Details of the project, including documentation published to date,
> >> can be found at <http://www.root-dnssec.org/>.
> >>
> >> We'd like to hear from you. If you have feedback for us, please
> >> send it to rootsign at icann.org.
> >>
> >>
> >> DEPLOYMENT STATUS
> >>
> >> The incremental deployment of DNSSEC in the Root Zone is being
> >> carried out first by serving a Deliberately Unvalidatable Root Zone
> >> (DURZ), and subsequently by a conventionally signed root zone.
> >> Discussion of the approach can be found in the document "DNSSEC
> >> Deployment for the Root Zone", as well as in the technical presentations
> >> delivered at RIPE, NANOG, IETF and ICANN meetings.
> >>
> >> All of the thirteen root servers have now made the transition to
> >> the to the DURZ.  No harmful effects have been identified.
> >>
> >> The final root server to make the transition, J-Root, started serving
> >> the DURZ in a maintenance window between 1700--1900 UTC on 2010-05-05.
> >>
> >> Initial observations relating to this transition will be presented
> >> and discussed at the DNS Working Group meeting at RIPE 60 in Prague
> >> on 2010-05-06.
> >>
> >>
> >> PLANNED DEPLOYMENT SCHEDULE
> >>
> >> Already completed:
> >>
> >>  2010-01-27: L starts to serve DURZ
> >>
> >>  2010-02-10: A starts to serve DURZ
> >>
> >>  2010-03-03: M, I start to serve DURZ
> >>
> >>  2010-03-24: D, K, E start to serve DURZ
> >>
> >>  2010-04-14: B, H, C, G, F start to serve DURZ
> >>
> >>  2010-05-05: J starts to serve DURZ
> >>
> >> To come:
> >>
> >>  2010-07-01: Distribution of validatable, production, signed root
> >>    zone; publication of root zone trust anchor
> >>
> >>  (Please note that this schedule is tentative and subject to change
> >>  based on testing results or other unforeseen factors.)
> >>
> >>
> >>
> >
>