[GH-ISSUE #213] [Server] DNSSEC works only with RSASHA256 #99

New issue

Closed

opened 2026-03-07 22:18:49 +03:00 by kerem · 8 comments

kerem commented 2026-03-07 22:18:49 +03:00

Owner

Copy link

Originally created by @Darkspirit on GitHub (Sep 27, 2017).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/213

build

tested both

• without "features"
• with "features=ring"

cargo install --git https://github.com/bluejekyll/trust-dns trust-dns-server --features=ring --debug --force
cargo install --git https://github.com/bluejekyll/trust-dns trust-dns-server --debug --force

RSASHA512 (not working)

http://dnsviz.net/d/ikenmeyer.com/e/178696140/dnssec/

root@dev:/home/trustdns# /home/trustdns/named --config=/home/trustdns/config.toml --zonedir=/home/trustdns/ --debug
2017-09-27T21:29:24.848966582+00:00 INFO trust_dns::logger:26 logging initialized
2017-09-27T21:29:24.849273276+00:00 INFO named:482 Trust-DNS 0.12.0 starting
2017-09-27T21:29:24.849372973+00:00 INFO named:488 loading configuration from: "/home/trustdns/config.toml"
2017-09-27T21:29:24.850580644+00:00 INFO named:156 loading zone file: "/home/trustdns/ikenmeyer.com.zone"
2017-09-27T21:29:25.310619905+00:00 INFO named:187 loaded zone: ikenmeyer.com.
2017-09-27T21:29:25.310960514+00:00 INFO named:291 reading key: "ikenmeyer.com.zone.csk.pem"
2017-09-27T21:29:25.313329695+00:00 INFO named:224 adding key to zone: "ikenmeyer.com.zone.csk.pem", is_zsk: true, is_auth: true
2017-09-27T21:29:25.313646887+00:00 DEBUG trust_dns_server::authority::authority:1069 generating nsec records: ikenmeyer.com.
2017-09-27T21:29:25.314076422+00:00 DEBUG trust_dns_server::authority::authority:1124 signing zone: ikenmeyer.com.
2017-09-27T21:29:25.314208983+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: ikenmeyer.com.
2017-09-27T21:29:25.316989754+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: ikenmeyer.com.
2017-09-27T21:29:25.317082424+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: ikenmeyer.com.
2017-09-27T21:29:25.318898141+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: ikenmeyer.com.
2017-09-27T21:29:25.318977582+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: ikenmeyer.com.
2017-09-27T21:29:25.320678844+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: ikenmeyer.com.
2017-09-27T21:29:25.320772575+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: ikenmeyer.com.
2017-09-27T21:29:25.322445338+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: ikenmeyer.com.
2017-09-27T21:29:25.322523636+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: ikenmeyer.com.
2017-09-27T21:29:25.324325919+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: ikenmeyer.com.
2017-09-27T21:29:25.324399503+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: www.ikenmeyer.com.
2017-09-27T21:29:25.326279943+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: www.ikenmeyer.com.
2017-09-27T21:29:25.326365979+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: www.ikenmeyer.com.
2017-09-27T21:29:25.328118292+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: www.ikenmeyer.com.
2017-09-27T21:29:25.328248998+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: www.ikenmeyer.com.
2017-09-27T21:29:25.330032139+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: www.ikenmeyer.com.
2017-09-27T21:29:25.330445847+00:00 INFO named:549 listening for UDP on UdpSocket { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 3 }
2017-09-27T21:29:25.330562221+00:00 DEBUG trust_dns_server::server::server_future:45 registered udp: UdpSocket { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 3 }
2017-09-27T21:29:25.330646740+00:00 DEBUG tokio_core::reactor:466 adding a new I/O source
2017-09-27T21:29:25.330755177+00:00 INFO named:555 listening for TCP on TcpListener { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 4 }
2017-09-27T21:29:25.330840258+00:00 DEBUG tokio_core::reactor:466 adding a new I/O source
2017-09-27T21:29:25.330931563+00:00 DEBUG trust_dns_server::server::server_future:85 registered tcp: TcpListener { sys: TcpListener { inner: TcpListener { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 4 } }, selector_id: SelectorId { id: AtomicUsize(1) } }
2017-09-27T21:29:25.331038704+00:00 INFO named:606 
2017-09-27T21:29:25.331099049+00:00 INFO named:607     o                      o            o             
2017-09-27T21:29:25.331151436+00:00 INFO named:608     |                      |            |             
2017-09-27T21:29:25.331202210+00:00 INFO named:609   --O--  o-o  o  o  o-o  --O--  o-o   o-O  o-o   o-o  
2017-09-27T21:29:25.331252430+00:00 INFO named:610     |    |    |  |   \     |         |  |  |  |   \   
2017-09-27T21:29:25.331302390+00:00 INFO named:611     o    o    o--o  o-o    o          o-o  o  o  o-o  
2017-09-27T21:29:25.331351992+00:00 INFO named:612 
2017-09-27T21:29:25.331401572+00:00 INFO named:596 awaiting connections...
2017-09-27T21:29:25.331451807+00:00 INFO trust_dns_server::server::server_future:203 Server starting up

darkspirit@darkspirit:~$ dig A ikenmeyer.com @dev.h.terrax.net +dnssec

; <<>> DiG 9.10.3-P4-Debian <<>> A ikenmeyer.com @dev.h.terrax.net +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16955
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; OPT=6: 08 0d 0e 0f ("....")
; OPT=5: 08 0d 0e 0f ("....")
;; QUESTION SECTION:
;ikenmeyer.com.                 IN      A

;; ANSWER SECTION:
ikenmeyer.com.          86400   IN      A       127.0.0.1

;; AUTHORITY SECTION:
ikenmeyer.com.          86400   IN      NS      dev.h.terrax.net.

;; Query time: 25 msec
;; SERVER: 2a01:4f8:c0c:2c12::50#53(2a01:4f8:c0c:2c12::50)
;; WHEN: Wed Sep 27 23:37:57 CEST 2017
;; MSG SIZE  rcvd: 104

RSASHA256 (working)

http://dnsviz.net/d/ikenmeyer.com/e/178696161/dnssec/

root@dev:/home/trustdns# /home/trustdns/named --config=/home/trustdns/config.toml --zonedir=/home/trustdns/ --debug
2017-09-27T21:32:48.799855258+00:00 INFO trust_dns::logger:26 logging initialized
2017-09-27T21:32:48.800111080+00:00 INFO named:482 Trust-DNS 0.12.0 starting
2017-09-27T21:32:48.800228602+00:00 INFO named:488 loading configuration from: "/home/trustdns/config.toml"
2017-09-27T21:32:48.801385829+00:00 INFO named:156 loading zone file: "/home/trustdns/ikenmeyer.com.zone"
2017-09-27T21:32:49.265184506+00:00 INFO named:187 loaded zone: ikenmeyer.com.
2017-09-27T21:32:49.265415906+00:00 INFO named:291 reading key: "ikenmeyer.com.zone.csk.pem"
2017-09-27T21:32:49.267918450+00:00 INFO named:224 adding key to zone: "ikenmeyer.com.zone.csk.pem", is_zsk: true, is_auth: true
2017-09-27T21:32:49.268188335+00:00 DEBUG trust_dns_server::authority::authority:1069 generating nsec records: ikenmeyer.com.
2017-09-27T21:32:49.268604260+00:00 DEBUG trust_dns_server::authority::authority:1124 signing zone: ikenmeyer.com.
2017-09-27T21:32:49.268772984+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: ikenmeyer.com.
2017-09-27T21:32:49.271527952+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: ikenmeyer.com.
2017-09-27T21:32:49.271621289+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: ikenmeyer.com.
2017-09-27T21:32:49.273332283+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: ikenmeyer.com.
2017-09-27T21:32:49.273411015+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: ikenmeyer.com.
2017-09-27T21:32:49.275231187+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: ikenmeyer.com.
2017-09-27T21:32:49.275314375+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: ikenmeyer.com.
2017-09-27T21:32:49.277094363+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: ikenmeyer.com.
2017-09-27T21:32:49.277176273+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: ikenmeyer.com.
2017-09-27T21:32:49.279014501+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: ikenmeyer.com.
2017-09-27T21:32:49.279139049+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: www.ikenmeyer.com.
2017-09-27T21:32:49.281483331+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: www.ikenmeyer.com.
2017-09-27T21:32:49.281571936+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: www.ikenmeyer.com.
2017-09-27T21:32:49.283376459+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: www.ikenmeyer.com.
2017-09-27T21:32:49.283463163+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: www.ikenmeyer.com.
2017-09-27T21:32:49.285218594+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: www.ikenmeyer.com.
2017-09-27T21:32:49.285570353+00:00 INFO named:549 listening for UDP on UdpSocket { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 3 }
2017-09-27T21:32:49.285649382+00:00 DEBUG trust_dns_server::server::server_future:45 registered udp: UdpSocket { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 3 }
2017-09-27T21:32:49.285718777+00:00 DEBUG tokio_core::reactor:466 adding a new I/O source
2017-09-27T21:32:49.285847746+00:00 INFO named:555 listening for TCP on TcpListener { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 4 }
2017-09-27T21:32:49.285920371+00:00 DEBUG tokio_core::reactor:466 adding a new I/O source
2017-09-27T21:32:49.286025658+00:00 DEBUG trust_dns_server::server::server_future:85 registered tcp: TcpListener { sys: TcpListener { inner: TcpListener { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 4 } }, selector_id: SelectorId { id: AtomicUsize(1) } }
2017-09-27T21:32:49.286130866+00:00 INFO named:606 
2017-09-27T21:32:49.286194348+00:00 INFO named:607     o                      o            o             
2017-09-27T21:32:49.286247306+00:00 INFO named:608     |                      |            |             
2017-09-27T21:32:49.286299074+00:00 INFO named:609   --O--  o-o  o  o  o-o  --O--  o-o   o-O  o-o   o-o  
2017-09-27T21:32:49.286350382+00:00 INFO named:610     |    |    |  |   \     |         |  |  |  |   \   
2017-09-27T21:32:49.286401299+00:00 INFO named:611     o    o    o--o  o-o    o          o-o  o  o  o-o  
2017-09-27T21:32:49.286452265+00:00 INFO named:612 
2017-09-27T21:32:49.286502899+00:00 INFO named:596 awaiting connections...
2017-09-27T21:32:49.286553622+00:00 INFO trust_dns_server::server::server_future:203 Server starting up

darkspirit@darkspirit:~$ dig A ikenmeyer.com @dev.h.terrax.net +dnssec

; <<>> DiG 9.10.3-P4-Debian <<>> A ikenmeyer.com @dev.h.terrax.net +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30747
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; OPT=6: 08 0d 0e 0f ("....")
; OPT=5: 08 0d 0e 0f ("....")
;; QUESTION SECTION:
;ikenmeyer.com.                 IN      A

;; ANSWER SECTION:
ikenmeyer.com.          86400   IN      A       127.0.0.1
ikenmeyer.com.          86400   IN      RRSIG   A 8 2 86400 20180926213711 20170927213711 23509 ikenmeyer.com. MMD5Iu5VUPkWbtD4M4Pqsiy4zsgLqI0lm6VRDGHGKZOh2eJjKllyiPCo 0w5BT7lJV7rOGmVVv3QDWoxqbwRhnZBQorVA/CtKDryEl4CEC4yt0PHH 59PJR7NTr/kmYyUI0xRQiMlic3n81aBrwe7lCHoF3GSafCdGCNo0my+f RqWsT5XyZjlfZcMZ1fdAMOD/LHurZROOBlYFfS8harrMuTqMxJgNaT1X 7+P0S+iagPEQ1yaCtu1B6mtapZnjHhAqaBppL5w8/NeeQ2dY8hfHyWA3 u5G5k+Ce+WPf/fAcBit2UMSXe9kK3leDNDVc6U6bSV6+8PCQET0vG2bp jiWmDw==

;; AUTHORITY SECTION:
ikenmeyer.com.          86400   IN      NS      dev.h.terrax.net.
ikenmeyer.com.          86400   IN      RRSIG   NS 8 2 86400 20180926213711 20170927213711 23509 ikenmeyer.com. QW8rLYBRLSf22fK4kR/kyKQmcGj4Lrw+/0vl3eM6RAMS1aIonbZjjNce xhVloYRPBje2HipESJx8lHSDtSpi6/bpIv0sSlx4JGqEe7+wc9VxZHe2 vUhdzLMdD5ZBVKi7G2l2gjj+EcOFJ4z/X4F6Ecdxm0LzDt6dqskbcSpY H9y6XrU4IcZHaoR8hPAVq6Lgcv6qpndBHM4zX3/uuO9FxHUSaDU/nqJk g+OfwP0les5eYybCBU1Xzj2E4kWNkiG7FDz2cOWDZNGBsppB+ML/g3rH 7pRdfOu/Py5IDem6kacJlk8t9FuYdpauucrpcA/zyaEh7NTY7Qt64uGP I1h36w==

;; Query time: 27 msec
;; SERVER: 2a01:4f8:c0c:2c12::50#53(2a01:4f8:c0c:2c12::50)
;; WHEN: Wed Sep 27 23:37:13 CEST 2017
;; MSG SIZE  rcvd: 706

config

zone = zone from #209

config.toml

listen_addrs_ipv6 = ["2a01:4f8:c0c:2c12::50"]

[[zones]]
zone = "ikenmeyer.com"
zone_type = "MASTER"
file = "ikenmeyer.com.zone"
allow_update = false
enable_dnssec = true

[[zones.keys]]
key_path = "ikenmeyer.com.zone.csk.pem"
algorithm = "RSASHA256"
signer_name = "ikenmeyer.com"
is_zone_signing_key = true
is_zone_update_auth = true
create_if_absent = true

---

Didn't test RSASHA1 until now: not working.

Originally created by @Darkspirit on GitHub (Sep 27, 2017). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/213 build ----- tested both * without "features" * with "features=ring" ``` cargo install --git https://github.com/bluejekyll/trust-dns trust-dns-server --features=ring --debug --force cargo install --git https://github.com/bluejekyll/trust-dns trust-dns-server --debug --force ``` RSASHA512 (not working) ---- http://dnsviz.net/d/ikenmeyer.com/e/178696140/dnssec/ ``` root@dev:/home/trustdns# /home/trustdns/named --config=/home/trustdns/config.toml --zonedir=/home/trustdns/ --debug 2017-09-27T21:29:24.848966582+00:00 INFO trust_dns::logger:26 logging initialized 2017-09-27T21:29:24.849273276+00:00 INFO named:482 Trust-DNS 0.12.0 starting 2017-09-27T21:29:24.849372973+00:00 INFO named:488 loading configuration from: "/home/trustdns/config.toml" 2017-09-27T21:29:24.850580644+00:00 INFO named:156 loading zone file: "/home/trustdns/ikenmeyer.com.zone" 2017-09-27T21:29:25.310619905+00:00 INFO named:187 loaded zone: ikenmeyer.com. 2017-09-27T21:29:25.310960514+00:00 INFO named:291 reading key: "ikenmeyer.com.zone.csk.pem" 2017-09-27T21:29:25.313329695+00:00 INFO named:224 adding key to zone: "ikenmeyer.com.zone.csk.pem", is_zsk: true, is_auth: true 2017-09-27T21:29:25.313646887+00:00 DEBUG trust_dns_server::authority::authority:1069 generating nsec records: ikenmeyer.com. 2017-09-27T21:29:25.314076422+00:00 DEBUG trust_dns_server::authority::authority:1124 signing zone: ikenmeyer.com. 2017-09-27T21:29:25.314208983+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: ikenmeyer.com. 2017-09-27T21:29:25.316989754+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: ikenmeyer.com. 2017-09-27T21:29:25.317082424+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: ikenmeyer.com. 2017-09-27T21:29:25.318898141+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: ikenmeyer.com. 2017-09-27T21:29:25.318977582+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: ikenmeyer.com. 2017-09-27T21:29:25.320678844+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: ikenmeyer.com. 2017-09-27T21:29:25.320772575+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: ikenmeyer.com. 2017-09-27T21:29:25.322445338+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: ikenmeyer.com. 2017-09-27T21:29:25.322523636+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: ikenmeyer.com. 2017-09-27T21:29:25.324325919+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: ikenmeyer.com. 2017-09-27T21:29:25.324399503+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: www.ikenmeyer.com. 2017-09-27T21:29:25.326279943+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: www.ikenmeyer.com. 2017-09-27T21:29:25.326365979+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: www.ikenmeyer.com. 2017-09-27T21:29:25.328118292+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: www.ikenmeyer.com. 2017-09-27T21:29:25.328248998+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: www.ikenmeyer.com. 2017-09-27T21:29:25.330032139+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: www.ikenmeyer.com. 2017-09-27T21:29:25.330445847+00:00 INFO named:549 listening for UDP on UdpSocket { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 3 } 2017-09-27T21:29:25.330562221+00:00 DEBUG trust_dns_server::server::server_future:45 registered udp: UdpSocket { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 3 } 2017-09-27T21:29:25.330646740+00:00 DEBUG tokio_core::reactor:466 adding a new I/O source 2017-09-27T21:29:25.330755177+00:00 INFO named:555 listening for TCP on TcpListener { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 4 } 2017-09-27T21:29:25.330840258+00:00 DEBUG tokio_core::reactor:466 adding a new I/O source 2017-09-27T21:29:25.330931563+00:00 DEBUG trust_dns_server::server::server_future:85 registered tcp: TcpListener { sys: TcpListener { inner: TcpListener { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 4 } }, selector_id: SelectorId { id: AtomicUsize(1) } } 2017-09-27T21:29:25.331038704+00:00 INFO named:606 2017-09-27T21:29:25.331099049+00:00 INFO named:607 o o o 2017-09-27T21:29:25.331151436+00:00 INFO named:608 | | | 2017-09-27T21:29:25.331202210+00:00 INFO named:609 --O-- o-o o o o-o --O-- o-o o-O o-o o-o 2017-09-27T21:29:25.331252430+00:00 INFO named:610 | | | | \ | | | | | \ 2017-09-27T21:29:25.331302390+00:00 INFO named:611 o o o--o o-o o o-o o o o-o 2017-09-27T21:29:25.331351992+00:00 INFO named:612 2017-09-27T21:29:25.331401572+00:00 INFO named:596 awaiting connections... 2017-09-27T21:29:25.331451807+00:00 INFO trust_dns_server::server::server_future:203 Server starting up ``` ``` darkspirit@darkspirit:~$ dig A ikenmeyer.com @dev.h.terrax.net +dnssec ; <<>> DiG 9.10.3-P4-Debian <<>> A ikenmeyer.com @dev.h.terrax.net +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16955 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; OPT=6: 08 0d 0e 0f ("....") ; OPT=5: 08 0d 0e 0f ("....") ;; QUESTION SECTION: ;ikenmeyer.com. IN A ;; ANSWER SECTION: ikenmeyer.com. 86400 IN A 127.0.0.1 ;; AUTHORITY SECTION: ikenmeyer.com. 86400 IN NS dev.h.terrax.net. ;; Query time: 25 msec ;; SERVER: 2a01:4f8:c0c:2c12::50#53(2a01:4f8:c0c:2c12::50) ;; WHEN: Wed Sep 27 23:37:57 CEST 2017 ;; MSG SIZE rcvd: 104 ``` RSASHA256 (working) --- http://dnsviz.net/d/ikenmeyer.com/e/178696161/dnssec/ ``` root@dev:/home/trustdns# /home/trustdns/named --config=/home/trustdns/config.toml --zonedir=/home/trustdns/ --debug 2017-09-27T21:32:48.799855258+00:00 INFO trust_dns::logger:26 logging initialized 2017-09-27T21:32:48.800111080+00:00 INFO named:482 Trust-DNS 0.12.0 starting 2017-09-27T21:32:48.800228602+00:00 INFO named:488 loading configuration from: "/home/trustdns/config.toml" 2017-09-27T21:32:48.801385829+00:00 INFO named:156 loading zone file: "/home/trustdns/ikenmeyer.com.zone" 2017-09-27T21:32:49.265184506+00:00 INFO named:187 loaded zone: ikenmeyer.com. 2017-09-27T21:32:49.265415906+00:00 INFO named:291 reading key: "ikenmeyer.com.zone.csk.pem" 2017-09-27T21:32:49.267918450+00:00 INFO named:224 adding key to zone: "ikenmeyer.com.zone.csk.pem", is_zsk: true, is_auth: true 2017-09-27T21:32:49.268188335+00:00 DEBUG trust_dns_server::authority::authority:1069 generating nsec records: ikenmeyer.com. 2017-09-27T21:32:49.268604260+00:00 DEBUG trust_dns_server::authority::authority:1124 signing zone: ikenmeyer.com. 2017-09-27T21:32:49.268772984+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: ikenmeyer.com. 2017-09-27T21:32:49.271527952+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: ikenmeyer.com. 2017-09-27T21:32:49.271621289+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: ikenmeyer.com. 2017-09-27T21:32:49.273332283+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: ikenmeyer.com. 2017-09-27T21:32:49.273411015+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: ikenmeyer.com. 2017-09-27T21:32:49.275231187+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: ikenmeyer.com. 2017-09-27T21:32:49.275314375+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: ikenmeyer.com. 2017-09-27T21:32:49.277094363+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: ikenmeyer.com. 2017-09-27T21:32:49.277176273+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: ikenmeyer.com. 2017-09-27T21:32:49.279014501+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: ikenmeyer.com. 2017-09-27T21:32:49.279139049+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: www.ikenmeyer.com. 2017-09-27T21:32:49.281483331+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: www.ikenmeyer.com. 2017-09-27T21:32:49.281571936+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: www.ikenmeyer.com. 2017-09-27T21:32:49.283376459+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: www.ikenmeyer.com. 2017-09-27T21:32:49.283463163+00:00 DEBUG trust_dns_server::authority::authority:1143 signing rr_set: www.ikenmeyer.com. 2017-09-27T21:32:49.285218594+00:00 DEBUG trust_dns_server::authority::authority:1211 signed rr_set: www.ikenmeyer.com. 2017-09-27T21:32:49.285570353+00:00 INFO named:549 listening for UDP on UdpSocket { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 3 } 2017-09-27T21:32:49.285649382+00:00 DEBUG trust_dns_server::server::server_future:45 registered udp: UdpSocket { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 3 } 2017-09-27T21:32:49.285718777+00:00 DEBUG tokio_core::reactor:466 adding a new I/O source 2017-09-27T21:32:49.285847746+00:00 INFO named:555 listening for TCP on TcpListener { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 4 } 2017-09-27T21:32:49.285920371+00:00 DEBUG tokio_core::reactor:466 adding a new I/O source 2017-09-27T21:32:49.286025658+00:00 DEBUG trust_dns_server::server::server_future:85 registered tcp: TcpListener { sys: TcpListener { inner: TcpListener { addr: V6([2a01:4f8:c0c:2c12::50]:53), fd: 4 } }, selector_id: SelectorId { id: AtomicUsize(1) } } 2017-09-27T21:32:49.286130866+00:00 INFO named:606 2017-09-27T21:32:49.286194348+00:00 INFO named:607 o o o 2017-09-27T21:32:49.286247306+00:00 INFO named:608 | | | 2017-09-27T21:32:49.286299074+00:00 INFO named:609 --O-- o-o o o o-o --O-- o-o o-O o-o o-o 2017-09-27T21:32:49.286350382+00:00 INFO named:610 | | | | \ | | | | | \ 2017-09-27T21:32:49.286401299+00:00 INFO named:611 o o o--o o-o o o-o o o o-o 2017-09-27T21:32:49.286452265+00:00 INFO named:612 2017-09-27T21:32:49.286502899+00:00 INFO named:596 awaiting connections... 2017-09-27T21:32:49.286553622+00:00 INFO trust_dns_server::server::server_future:203 Server starting up ``` ``` darkspirit@darkspirit:~$ dig A ikenmeyer.com @dev.h.terrax.net +dnssec ; <<>> DiG 9.10.3-P4-Debian <<>> A ikenmeyer.com @dev.h.terrax.net +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30747 ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; OPT=6: 08 0d 0e 0f ("....") ; OPT=5: 08 0d 0e 0f ("....") ;; QUESTION SECTION: ;ikenmeyer.com. IN A ;; ANSWER SECTION: ikenmeyer.com. 86400 IN A 127.0.0.1 ikenmeyer.com. 86400 IN RRSIG A 8 2 86400 20180926213711 20170927213711 23509 ikenmeyer.com. MMD5Iu5VUPkWbtD4M4Pqsiy4zsgLqI0lm6VRDGHGKZOh2eJjKllyiPCo 0w5BT7lJV7rOGmVVv3QDWoxqbwRhnZBQorVA/CtKDryEl4CEC4yt0PHH 59PJR7NTr/kmYyUI0xRQiMlic3n81aBrwe7lCHoF3GSafCdGCNo0my+f RqWsT5XyZjlfZcMZ1fdAMOD/LHurZROOBlYFfS8harrMuTqMxJgNaT1X 7+P0S+iagPEQ1yaCtu1B6mtapZnjHhAqaBppL5w8/NeeQ2dY8hfHyWA3 u5G5k+Ce+WPf/fAcBit2UMSXe9kK3leDNDVc6U6bSV6+8PCQET0vG2bp jiWmDw== ;; AUTHORITY SECTION: ikenmeyer.com. 86400 IN NS dev.h.terrax.net. ikenmeyer.com. 86400 IN RRSIG NS 8 2 86400 20180926213711 20170927213711 23509 ikenmeyer.com. QW8rLYBRLSf22fK4kR/kyKQmcGj4Lrw+/0vl3eM6RAMS1aIonbZjjNce xhVloYRPBje2HipESJx8lHSDtSpi6/bpIv0sSlx4JGqEe7+wc9VxZHe2 vUhdzLMdD5ZBVKi7G2l2gjj+EcOFJ4z/X4F6Ecdxm0LzDt6dqskbcSpY H9y6XrU4IcZHaoR8hPAVq6Lgcv6qpndBHM4zX3/uuO9FxHUSaDU/nqJk g+OfwP0les5eYybCBU1Xzj2E4kWNkiG7FDz2cOWDZNGBsppB+ML/g3rH 7pRdfOu/Py5IDem6kacJlk8t9FuYdpauucrpcA/zyaEh7NTY7Qt64uGP I1h36w== ;; Query time: 27 msec ;; SERVER: 2a01:4f8:c0c:2c12::50#53(2a01:4f8:c0c:2c12::50) ;; WHEN: Wed Sep 27 23:37:13 CEST 2017 ;; MSG SIZE rcvd: 706 ``` config ---- zone = zone from #209 config.toml ``` listen_addrs_ipv6 = ["2a01:4f8:c0c:2c12::50"] [[zones]] zone = "ikenmeyer.com" zone_type = "MASTER" file = "ikenmeyer.com.zone" allow_update = false enable_dnssec = true [[zones.keys]] key_path = "ikenmeyer.com.zone.csk.pem" algorithm = "RSASHA256" signer_name = "ikenmeyer.com" is_zone_signing_key = true is_zone_update_auth = true create_if_absent = true ``` ----- Didn't test [RSASHA1](http://dnsviz.net/d/ikenmeyer.com/e/178696225/dnssec/) until now: not working.

kerem 2026-03-07 22:18:49 +03:00

• closed this issue
• added the
  bug
  trust
  crate:server
  tools
  labels

kerem commented 2026-03-07 22:18:51 +03:00

Author

Owner

Copy link

@bluejekyll commented on GitHub (Sep 27, 2017):

Thank you for working through this! The table you produced in the other #209 is really nice.

<!-- gh-comment-id:332663903 --> @bluejekyll commented on GitHub (Sep 27, 2017): Thank you for working through this! The table you produced in the other #209 is really nice.

kerem commented 2026-03-07 22:18:51 +03:00

Author

Owner

Copy link

@bluejekyll commented on GitHub (Sep 27, 2017):

It looks like we also have an issue with the DNSKEY not being signed or possibly it's RRSIG is not being returned in the request.

I opened #214 for this.

<!-- gh-comment-id:332664073 --> @bluejekyll commented on GitHub (Sep 27, 2017): It looks like we also have an issue with the DNSKEY not being signed or possibly it's RRSIG is not being returned in the request. I opened #214 for this.

kerem commented 2026-03-07 22:18:51 +03:00

Author

Owner

Copy link

@bluejekyll commented on GitHub (Sep 27, 2017):

Can you also post the config for the RSASHA512 configuration?

<!-- gh-comment-id:332664992 --> @bluejekyll commented on GitHub (Sep 27, 2017): Can you also post the config for the RSASHA512 configuration?

kerem commented 2026-03-07 22:18:51 +03:00

Author

Owner

Copy link

@Darkspirit commented on GitHub (Sep 27, 2017):

Can you also post the config for the RSASHA512 configuration?

• rm *.pem
• algorithm = "RSASHA512" (the rest is the same)

<!-- gh-comment-id:332665560 --> @Darkspirit commented on GitHub (Sep 27, 2017): > Can you also post the config for the RSASHA512 configuration? * rm *.pem * algorithm = "RSASHA512" (the rest is the same)

kerem commented 2026-03-07 22:18:51 +03:00

Author

Owner

Copy link

@bluejekyll commented on GitHub (Sep 28, 2017):

I’m going to see how much progress I can make tonight on this. Add some more test cases, etc. I’ll post to this issue a branch once I have it ready.

<!-- gh-comment-id:332699371 --> @bluejekyll commented on GitHub (Sep 28, 2017): I’m going to see how much progress I can make tonight on this. Add some more test cases, etc. I’ll post to this issue a branch once I have it ready.

kerem commented 2026-03-07 22:18:51 +03:00

Author

Owner

Copy link

@briansmith commented on GitHub (Sep 30, 2017):

Didn't test RSASHA1 until now: not working.

As of now, there's no way to create an RSA-SHA1 signature using ring, intentionally.

<!-- gh-comment-id:333332952 --> @briansmith commented on GitHub (Sep 30, 2017): > Didn't test RSASHA1 until now: not working. As of now, there's no way to create an RSA-SHA1 signature using *ring*, intentionally.

kerem commented 2026-03-07 22:18:51 +03:00

Author

Owner

Copy link

@Darkspirit commented on GitHub (Sep 30, 2017):

As of now, there's no way to create an RSA-SHA1 signature using ring, intentionally.

Thinking of the resolver: Verifying 2048+ bit RSA-SHA1 would work (RSA_PKCS1_2048_8192_SHA1), but not beneath (shitty RSA 1024 bit signed zones), right?

I (also?) think one shouldn't be able to deploy such legacy stuff anymore and therefore it shouldn't be possible to use sha1 for signing zones in trust-dns.

<!-- gh-comment-id:333334840 --> @Darkspirit commented on GitHub (Sep 30, 2017): > As of now, there's no way to create an RSA-SHA1 signature using ring, intentionally. Thinking of the resolver: Verifying 2048+ bit RSA-SHA1 would work (RSA_PKCS1_2048_8192_SHA1), but not beneath (shitty RSA 1024 bit signed zones), right? I (also?) think one shouldn't be able to deploy such legacy stuff anymore and therefore it shouldn't be possible to use sha1 for signing zones in trust-dns.

kerem commented 2026-03-07 22:18:51 +03:00

Author

Owner

Copy link

@briansmith commented on GitHub (Sep 30, 2017):

Thinking of the resolver: Verifying 2048+ bit RSA-SHA1 would work (RSA_PKCS1_2048_8192_SHA1), but not beneath (shitty RSA 1024 bit signed zones), right?

Yes, that's right.

I (also?) think one shouldn't be able to deploy such legacy stuff anymore and therefore it shouldn't be possible to use sha1 for signing zones in trust-dns.

I agree. That's why there's no SHA-1 signing API.

<!-- gh-comment-id:333335121 --> @briansmith commented on GitHub (Sep 30, 2017): > Thinking of the resolver: Verifying 2048+ bit RSA-SHA1 would work (RSA_PKCS1_2048_8192_SHA1), but not beneath (shitty RSA 1024 bit signed zones), right? Yes, that's right. > I (also?) think one shouldn't be able to deploy such legacy stuff anymore and therefore it shouldn't be possible to use sha1 for signing zones in trust-dns. I agree. That's why there's no SHA-1 signing API.

kerem referenced this issue 2026-03-16 01:55:38 +03:00

[PR #99] [MERGED] Prepare 0.10 release #1237

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

release/0.26

david/conformance-dnssec-negative-tests

query-api

opt-types

cname-nsec

no-cname-recursion

conformance-min-ttl

dname-base

drop-message-request

no-error-queries

cpu-sig0-rm-message-sig_dev

cpu-tsig-test-update_dev

windows-config

dnssec-net

release/0.25

opp-enc-persist

integration-test

cpu-tidying-recursor-opts_dev

happy-eyeballs

david/authoritative-zone-storage-trait

dnssec-ad

no-authority

release/0.24

pvdrz/remove-top-file

pvdrz/h3-handshake-timeout

pvdrz/quic-handshake-timeout

nxdomain-for-recursor

ja-test-merque-queue

ja-fix-ci-again

sz-add-ede-tests

sz-test-tc-bit-with-large-response

sz-fix-tokio-dependency

gh-2275-test-rrsig-signature

refactor-sign-zone-file

fix-1.79-cleanliness

update-nightly-hash

release/0.23

gh-pages

use-just-for-server-toml

release/0.22

revert-1874-cpu-zone-parse-default-class

disable-bind-compatibility-tests

disable-test_tls_client_stream_ipv4

update-native-tls-0.2.11

recursor-tests

fix-clippy-self

release/0.20

saethlin-fix-rdata-zero

release/0.19

flat_name

drop_unused_futures

release/0.18

release-r0.12-cs0.17

release/r0.12-cs0.17

trust-dns-book

r0.10

test-connections-not-dropped

fix_exec_status_on_rs_files

release-0.9

add-mutex-to-integration-tests

0.8_release

bfry/dns-crypt

v0.26.0

v0.26.0-beta.4

v0.26.0-beta.3

v0.26.0-beta.2

v0.26.0-beta.1

v0.26.0-alpha.1

v0.25.2

v0.25.1

v0.25.0

v0.24.4

v0.24.3

v0.25.0-alpha.5

v0.24.2

v0.25.0-alpha.4

v0.25.0-alpha.3

v0.25.0-alpha.2

v0.25.0-alpha.1

v0.24.1

v0.23.2

v0.24.0

v0.23.1

v0.23.0

v0.23.0-alpha.5

v0.23.0-alpha.4

v0.23.0-alpha.3

v0.22.1

v0.23.0-alpha.2

v0.23.0-alpha.1

v0.22.0

v0.21.2

v0.21.1

v0.21.0

v0.21.0-alpha.5

v0.20.4

v0.21.0-alpha.4

v0.21.0-alpha.3

v0.21.0-alpha.2

v0.21.0-alpha.1

v0.20.3

v0.20.2

v0.20.1

v0.19.7

v0.20.0

0.19.6

v0.20.0-alpha.3

v0.20.0-alpha.2

v0.20.0-alpha.1

0.19.5

0.19.4

0.19.3

0.19.0

0.18.1

0.18

0.18.0.alpha.2

r0.12_cs0.17

r0.11.1

cs0.16.1

r0.11

cs0.16

r0.10.1

r0.10.0

cs0.15.0

r0.9.1

v0.14.0

r0.9.0

r0.8.1

r0.8.0

v0.13.0

r0.7.0

c0.12.0

r0.6.0

r0.5.0

resolver.0.4.0

0.11.0

0.10.5

0.10.4

0.10.3

0.10.2

0.10.1

0.10.0

0.9.3

0.9.2

0.9.1

0.9.0

0.8.1

0.8.0

0.7.3

0.7.2

0.7.1

0.7.0

0.6.0

0.5.3

0.5.1

0.5.0

0.4.0

0.3.1

0.3.0

0.2.1

0.2.0

0.1.0

Labels

Clear labels   

blocked

  

breaking-change

  

bug

  

bug:critical

  

bug:tests

  

cleanup

  

compliance

  

compliance

  

compliance

  

crate:all

  

crate:client

  

crate:native-tls

  

crate:proto

  

crate:recursor

  

crate:resolver

  

crate:resolver

  

crate:rustls

  

crate:server

  

crate:util

  

dependencies

  

docs

  

duplicate

  

easy

  

easy

  

enhance

  

enhance

  

enhance

  

feature:dns-over-https

  

feature:dns-over-quic

  

feature:dns-over-tls

  

feature:dnsssec

  

feature:global_lb

  

feature:mdns

  

feature:tsig

  

features:edns

  

has workaround

  

ops

  

perf

  

platform:WASM

  

platform:android

  

platform:fuchsia

  

platform:linux

  

platform:macos

  

platform:windows

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

test

  

tools

  

tools

  

trust

  

unclear

  

wontfix

No labels

blocked

breaking-change

bug

bug:critical

bug:tests

cleanup

compliance

compliance

compliance

crate:all

crate:client

crate:native-tls

crate:proto

crate:recursor

crate:resolver

crate:resolver

crate:rustls

crate:server

crate:util

dependencies

docs

duplicate

easy

easy

enhance

enhance

enhance

feature:dns-over-https

feature:dns-over-quic

feature:dns-over-tls

feature:dnsssec

feature:global_lb

feature:mdns

feature:tsig

features:edns

has workaround

ops

perf

platform:WASM

platform:android

platform:fuchsia

platform:linux

platform:macos

platform:windows

pull-request

question

test

tools

tools

trust

unclear

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/hickory-dns#99

No description provided.