DNSSEC and PTR

[Gwendou]

Hie,

First, I'm so sorry for my English but I'm French. I have a problem with dnssec. I have created my signed zone, but when I use it, PTR records don't do their job.

[CMD=""]nslookup dns[/CMD]
works but
[CMD=""]nslookup 192.168.0.1[/CMD]
doesn't work.

Can you help me, please ?

Cordially

Gwendou

 

[SirDice]

Did you actually create a reverse zone?

 

[Gwendou]

In my zone file there is A and PTR records, so I thinks it create the reverse zone in the same time

 

[SirDice]

Which DNS server? It's not for BIND, you'll need a forward and a (seperate) reverse zone.

 

[Gwendou]

I use Bind in netkit and I tried to create two differents files, but the reverse signed file couldn't be generated: it says that it doesn't know PTR.

 

[SirDice]

So, some script generates error when it tries to create the reverse zone and you're wondering why it doesn't work?

What's the script? How are you creating your zones? Post your configuration so we can have a look.

 

[Gwendou]

To use one file for normal and reverse dns I give the same file in ZONE

"my_zone" IN { file "my_file"}

and in ZONE

"X.X.X.in-addr.arpa" IN { file "my_file"}

 

[SirDice]

Split them up. They're not supposed to be in one file.

 

[Gwendou]

That's what I do

dnssec-keygen -r /dev/urandom -a RSASHA1 -b 1024 -n ZONE network
dnssec-keygen -r /dev/urandom -a RSASHA1 -b 1024 -n ZONE network
dnssec-keygen -r /dev/urandom -a RSASHA1 -b 2048 -n ZONE -f KSK network //09064

//Add this in network
	;; ksk
	$INCLUDE /etc/bind/KSK.key
	;; current zsk
	$INCLUDE /etc/bind/ZSK-cur.key
	;; published zsk
	$INCLUDE /etc/bind/ZSK-pub.key

//generate signed zone file
dnssec-signzone -k KSK.key -o network -e +2592000 db.network ZSK-cur.key

//verify the zone signed file
named-checkzone network db.network.signed

//modify named.conf
//add to options of named.conf
	dnssec-enable yes;
	dnssec-validation yes;

//modify zone in named.conf
	file "/etc/bind/network"		==> file "/etc/bind/network.signed"

//reload the zone
rndc reload network

 

[Gwendou]

My named.conf file

options {
        directory "/var/cache/bind";
	dnssec-enable yes;
	dnssec-validation yes;
};

zone "localhost" IN {
        type master;
        file "/etc/bind/db.local";
        allow-update { none; };
};

zone "network" IN {
        type master;
        file "/etc/bind/network.signed";
	allow-query{192.168.0.0/24;};

};

zone "0.168.192.in-addr.arpa" {
        type master;
        file "/etc/bind/network.signed";
	allow-query{192.168.0.0/24;};
};

 

[SirDice]

Use separate files for the zones.

 

[Gwendou]

I try this and say results after

 

[Gwendou]

Must I create KSK and ZSK for normal and reverse DNS?

 

[Gwendou]

I have created 2 ZSK and 1 KSK for the files db.network and db.reverse.network. I have generated db.network.signed and db.reverse.network.signed, and the normal dns works but not reverse dns. There is nothing changed.

 

[SirDice]

Turn off DNSSEC for a second and make sure everything works before adding it.