Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ISSUE] found DS RRset without NS RRset when configuring DNSSEC #419

Closed
MeCJay12 opened this Issue Nov 22, 2018 · 13 comments

Comments

Projects
None yet
3 participants
@MeCJay12
Copy link

MeCJay12 commented Nov 22, 2018

Please ignore till after the holiday. I am just trying to avoid family.

Replace everything between stars with current version of your facileManager and module installations:
fM Version : 3.2
fmDNS Version : 3.2

  • I have read and understood the contributors guide.
  • I have checked that the bug-fix I am reporting can be replicated, or that the feature I am suggesting isn't already present.
  • I have checked that the issue I'm posting isn't already reported.
  • I have checked that the issue I'm posting isn't already solved and no duplicates exist in closed issues and opened issues
  • I have checked the pull requests tab for existing solutions/implementations to my issue/suggestion.

(BUG | ISSUE) Expected Behavior:
I am trying to setup DNSSEC so I need to provide the NS/DS RR to my registrar. I expect this to be a file on the disk, an entry in the UI somewhere (ideal), or at least in the database somewhere.

(BUG | ISSUE) Actual Behavior:
"Found DS RRset without NS RRset" appears in config file. I recognize this is not an issue itself but that I need to add the NS records to my registrar. I just can't figure out where the record is.

(BUG | ISSUE) Steps to reproduce:
Generate key for zone, sign zone, enable DNSSEC on zone, issue will appear in viewable server config file.

@WillyXJ WillyXJ added the fmDNS label Jan 14, 2019

@WillyXJ

This comment has been minimized.

Copy link
Owner

WillyXJ commented Jan 14, 2019

Are you letting fmDNS generate the key for the zone or providing your own key? The former should then generate the DS RR. It's also possible there is some missing logic...

@MeCJay12

This comment has been minimized.

Copy link
Author

MeCJay12 commented Jan 14, 2019

You'll have to forgive me, I did this a while ago so I don't remember exactly.

There was a package I had to install to speed up the process otherwise it would take days to generate the key. After that package was installed, yes, I had FM generate and install the keys/certs. When I went to my DNS provider to enter my records I couldn't find them in FM and I don't know where to look in the file structure.

@WillyXJ

This comment has been minimized.

Copy link
Owner

WillyXJ commented Jan 15, 2019

I appreciate you testing out the DNSSEC support in fmDNS while it's still experimental. I have found in my test environment that the NS RRset is shown in the server config preview window for the zone (which ultimately is the same as the zone file on the DNS servers). This may or may not be ideal. Do you get the same results? Essentially, it should be in the zone file after it's been signed.

@MeCJay12

This comment has been minimized.

Copy link
Author

MeCJay12 commented Jan 15, 2019

The exact line I'm looking for is something like this to give to my registrar:

example.com.        IN DS 62910 7 1 1D6AC75083F3CEC31861993E325E0EEC7E97D1DD
example.com.        IN DS 62910 7 2 198303E265A856DE8FE6330EDB5AA76F3537C10783151AEF3577859F FFC3F59D

I am not seeing this in the server config. What I did notice is that If I edit the zone I'm trying to configure DNSSEC on and tell it to include the DS RR in another "parent" zone that it will include them in that zone's config file. Obviously that zone isn't the parent zone so I grabbed the info and gave it to my registrar. Mystery solved. I guess feature request: a little more intuitive method? I also noticed that once you generate a DNSSEC Key is cannot be removed/deleted from the GUI.

@WillyXJ

This comment has been minimized.

Copy link
Owner

WillyXJ commented Jan 16, 2019

You made two points here:

  1. This can be a feature request - DS RR should be available to provide to a registrar if the zone is the parent.
  2. DNSSEC keys can be deleted, but only if they are not the current signing key or have been revoked. The idea is to prevent accidental deletion of your active signing key.

Thanks!

@WillyXJ WillyXJ added the Enhancement label Jan 16, 2019

@MeCJay12

This comment has been minimized.

Copy link
Author

MeCJay12 commented Jan 16, 2019

  1. Yup.

  2. I noticed that shortly after posting the comment.

Thanks for the help!

@dssantos83

This comment has been minimized.

Copy link

dssantos83 commented Feb 7, 2019

Hello MeCJay12,
You said that "There was a package I had to install to speed up the process otherwise it would take days to generate the key."
Wich package is this?
I'm facing this problem.
Thanks

@MeCJay12

This comment has been minimized.

Copy link
Author

MeCJay12 commented Feb 13, 2019

Hello MeCJay12,
You said that "There was a package I had to install to speed up the process otherwise it would take days to generate the key."
Wich package is this?
I'm facing this problem.
Thanks

Sorry for the delayed reply, I found the package back in November and I couldn't remember what it was. The package is haveged installed on Ubuntu with
apt-get install haveged
Good luck. hit me up with any other questions. I tried to layout my steps here because it wasn't well documented when I went through the process.

@dssantos83

This comment has been minimized.

Copy link

dssantos83 commented Feb 13, 2019

MeCJay12,
Thank you so much.
I have installed haveged e it worked like a charm.

@dssantos83

This comment has been minimized.

Copy link

dssantos83 commented Feb 13, 2019

Now I have the "found DS RRset without NS RRset" problem.
How have you solved this?
Tks

@MeCJay12

This comment has been minimized.

Copy link
Author

MeCJay12 commented Feb 13, 2019

That's because you need to put your DS record into your registrar. I can't really tell you exactly how to do that because it's different with each registrar but I can tell you how to get the info from FM. Go to the zone you are working on. In the options, one says add DNSSEC keys to parent zone with a drop down (or something like that). Pick another zone in the drop down (doesn't matter which zone). Click ok then go view the config for the other zone. All the way at the bottom there will be two lines with the info you need to give your registrar.

@dssantos83

This comment has been minimized.

Copy link

dssantos83 commented Feb 13, 2019

MeCJay12, thank you for your support.
I've read again your comments above and I've just got it.
Now it's working.

@WillyXJ

This comment has been minimized.

Copy link
Owner

WillyXJ commented Mar 17, 2019

This is now fixed in fmDNS 3.3 and later.

@WillyXJ WillyXJ closed this Mar 17, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.