zw3b.app # ------------------------- # Creation des keys root@lb1.dns:~ # dnssec-keygen -a ECDSAP256SHA256 -n ZONE zw3b.app root@lb1.dns:~ # dnssec-keygen -a ECDSAP256SHA256 -f KSK -n ZONE zw3b.app # On colle les clefs dans la zone : root@lb1.dns:~ # for key in `ls Kzw3b.app*.key`; do echo "$INCLUDE /etc/bind/keys/$key" >> /etc/bind/masters/zw3b.app.hosts; done; # On signe la zone (avec un sel aléatoire) # root@lb1.dns:~ # dnssec-signzone -A -H 0 -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -g -t -o zw3b.app -K /etc/bind/keys/ -t /etc/bind/masters/zw3b.app.hosts # no salt (RFC 9276, Sec. 3.1.) root@lb1.dns:~ # dnssec-signzone -A -H 0 -3 "" -N INCREMENT -g -t -o zw3b.app -K /etc/bind/keys/ -t /etc/bind/masters/zw3b.app.hosts # ------------------------- root@lb1.dns:~ # cat /etc/bind/keys/dsset-zw3b.app. zw3b.app. IN DS 39028 13 1 A54EAB489E9A9FDA7AE7AA723585BB02E2C50DA8 zw3b.app. IN DS 39028 13 2 576972AE44C607058D1A795BAF20A76942BEAF6691F7AD9752E746A8 0144A0AA # ------------------------- Updated: 2025-06-05 01:36:29 UTC https://dnsviz.net/d/zw3b.app/aED0nQ/dnssec/?rr=all&a=all&ds=all&doe=on&ta=.&tk= Updated: 2025-06-30 22:07:09 UTC (less than a minute ago) Update now https://dnsviz.net/d/zw3b.app/aGMKjQ/dnssec/?rr=all&a=all&ds=all&doe=on&ta=.&tk= #root@lb1.dns:~ # dig zw3b.fr NSEC3PARAM +short #1 0 10 0D2168CC9D276F72 # ----- root@lb1.dns:~ # dig zw3b.app NSEC3PARAM +short 1 0 0 8A42593B218B51D5 root@lb1.dns:~ # nsec3hash 8A42593B218B51D5 1 0 zw3b.app. UDLBUJAK9D8QU7LKMK5KKTR4D20BRN0Q (salt=8A42593B218B51D5, hash=1, iterations=0) root@lb1.dns:~ # nsec3hash 8A42593B218B51D5 1 1 zw3b.app. 43A38UG9S0L6V7K8J3H69FBU6QMF7JU2 (salt=8A42593B218B51D5, hash=1, iterations=1) root@lb1.dns:~ # nsec3hash 8A42593B218B51D5 1 2 zw3b.app. I3VBRTSHCGF5E95C12IEDF2HPVVN41RL (salt=8A42593B218B51D5, hash=1, iterations=2) # ----- root@gate:~ # dig ANY zw3b.app @dns.google ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> ANY zw3b.app @dns.google ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50925 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 21, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;zw3b.app. IN ANY ;; ANSWER SECTION: zw3b.app. 3600 IN SOA dns.lab3w.fr. hostmaster.lab3w.fr. 2025060402 300 60 420 60 zw3b.app. 3600 IN RRSIG SOA 13 2 3600 20250705001251 20250605001251 47132 zw3b.app. m0ISF1zms/QZh2JAzzQACFrMEFR90ufwt3DBVusVz//2b17tNbhflkXt tBXCke4YIn0Hzj8GK7ZhuAcncLYa9g== zw3b.app. 3600 IN NS ns1.ipv10.net. zw3b.app. 3600 IN NS ns2.ipv10.net. zw3b.app. 3600 IN RRSIG NS 13 2 3600 20250705001251 20250605001251 47132 zw3b.app. 6abpkhQscqhUhAESsAIXAeNaS+NOyW6orYbdbE8YrrwTmL2ABwsbH4ZW 4+Jq/9k8WPUO1JjurLGm2CKZE+GDhA== zw3b.app. 3600 IN A 158.69.126.137 zw3b.app. 3600 IN RRSIG A 13 2 3600 20250705001251 20250605001251 47132 zw3b.app. 3S5hPFjathDigui8nuv5Jy+gpzpZQ/2dbZ/fY13Pn3yg3dpLZ1krFgA6 ffCWzMKBJ6xer2eVP5IvgvBdW+leDA== zw3b.app. 3600 IN MX 10 smtp.zw3b.app. zw3b.app. 3600 IN RRSIG MX 13 2 3600 20250705001251 20250605001251 47132 zw3b.app. nqai+zm+mW6JDD4WGO03/IERX4vK2GPJDNf1S1fmKDU72cS0WpfhM4bB UBVyj/wOFLN2t2WThCEbqVyIxRhuhg== zw3b.app. 10800 IN TXT "v=spf1 ip4:158.69.126.137/32 ip6:2607:5300:60:9389:17:4c1:0:1a/124 ~all" zw3b.app. 10800 IN RRSIG TXT 13 2 10800 20250705001251 20250605001251 47132 zw3b.app. tKDyErUWoppoDAXc3XOU3lv9MhK5aU9fi8TmRnPcq3ErWKCX3dGq/jYP RWc+CPYE1Sa363tDsnRSFiW+mfwoqQ== zw3b.app. 3600 IN AAAA 2607:5300:60:9389::1 zw3b.app. 3600 IN RRSIG AAAA 13 2 3600 20250705001251 20250605001251 47132 zw3b.app. aI1jVApg/fP6p+iookY1wi91dJp/1Ssr4du3Kv+/c1LsRKfHyMre0Nr9 PJ3dyhFmIfbO2kUhthB8XQfcOSgdJA== zw3b.app. 3600 IN DNSKEY 257 3 13 6leXTZRyCwdRZYvvDgTiXvUEwFWl0wLwB5MB9aCW0yZAAnDl4CqynmBC pVkmkdvLwkwPHCe6aX9U0HJopLqv6w== zw3b.app. 3600 IN DNSKEY 256 3 13 xV3tEVdpzMIC+tpKM9TbZtqZKQTLo0g/SLQi9MJuUl+5vXBsOGqDNcBO z/MxYIuq7oqU4dy1ATJuO+As182eWg== zw3b.app. 3600 IN RRSIG DNSKEY 13 2 3600 20250705001251 20250605001251 47132 zw3b.app. 38L8rkFzxDPJUZv413NtCL0JLxO6HwSNhrem3jf2N5rZ6ZGaTkomHQrd EdDvqcNYqLTwKqnk1Xz06A6nt//l5w== zw3b.app. 3600 IN RRSIG DNSKEY 13 2 3600 20250705001251 20250605001251 39028 zw3b.app. d3wddgX/S6SrZUA0sJNNn3kxlmxARnICW774JSbLnowEuRoFo3z4ZuEw 6WfbRDS+CXRaCFaajY+0PU0quc3vwQ== zw3b.app. 0 IN NSEC3PARAM 1 0 0 8A42593B218B51D5 zw3b.app. 0 IN RRSIG NSEC3PARAM 13 2 0 20250705001251 20250605001251 47132 zw3b.app. CtplT/gELWrUaA0aQfC0h50ohb4JwK+DxV4Dzsig+OGLvjq/sR97DpkE qiZTwxKkua9zEhL8APlAqQ19W7W9pQ== zw3b.app. 10800 IN SPF "v=spf1 ip4:158.69.126.137/32 ip6:2607:5300:60:9389:17:4c1:0:1a/124 ~all" zw3b.app. 10800 IN RRSIG SPF 13 2 10800 20250705001251 20250605001251 47132 zw3b.app. pksk9f6QK5xyfiP7Bq0WPR4HxHV3j3mi7F98XgznT45wWgjmgxjsJO4z T45LPmr/LStsyH8kDnXxVct7K7Vs0w== ;; Query time: 552 msec ;; SERVER: 2001:4860:4860::8888#53(dns.google) (TCP) ;; WHEN: Tue Jul 01 00:38:41 CEST 2025 ;; MSG SIZE rcvd: 1599 # ------------------------- # Apres avoir re-signé la zone comme cela -> Du coup j'ai 2 NSEC3PARAM 3il fallait peut-être: Updated: 2025-06-30 23:02:12 UTC https://dnsviz.net/d/zw3b.app/aGMXdA/dnssec/?rr=all&a=all&ds=all&doe=on&ta=.&tk= root@lb1.dns:~ # dnssec-signzone -A -H 0 -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -g -t -o zw3b.app -K /etc/bind/keys/ -t /etc/bind/masters/zw3b.app.hosts Verifying the zone using the following algorithms: ECDSAP256SHA256. Zone fully signed: Algorithm: ECDSAP256SHA256: KSKs: 1 active, 0 stand-by, 0 revoked ZSKs: 1 active, 0 stand-by, 0 revoked /etc/bind/masters/zw3b.app.hosts.signed Signatures generated: 37 Signatures retained: 0 Signatures dropped: 0 Signatures successfully verified: 0 Signatures unsuccessfully verified: 0 Signing time in seconds: 0.022 Signatures per second: 1619.468 Runtime in seconds: 0.254 # ----- root@lb1.dns:~ # dig zw3b.app NSEC3PARAM +short 1 0 0 876435C96D1CDA22 root@lb1.dns:~ # nsec3hash 876435C96D1CDA22 1 0 zw3b.app. FT0Q4U8V7TDF9AUVH9BQ4HJUKCT6EBJO (salt=876435C96D1CDA22, hash=1, iterations=0) root@lb1.dns:~ # nsec3hash 876435C96D1CDA22 1 1 zw3b.app. 048CHE79MN7BDLCNCQALQV6HMUH6DJL0 (salt=876435C96D1CDA22, hash=1, iterations=1) root@lb1.dns:~ # nsec3hash 0802585BC0273018 1 10 zw3b.app. 36NIVQJJPJ7MDDMJ5IS1J7AMBK1H5FLT (salt=0802585BC0273018, hash=1, iterations=10) root@lb1.dns:~ # dig +dnssec ANY wwwwwwwww.zw3b.app 0HO8P72OQFAVSTG51POREENG1073LNQ4.zw3b.app. 60 IN NSEC3 1 1 0 876435C96D1CDA22 43KL4M4NGP1K2DFUV0915IVS4DE27MS9 CNAME RRSIG 0HO8P72OQFAVSTG51POREENG1073LNQ4.zw3b.app. 60 IN RRSIG NSEC3 13 3 60 20250730214956 20250630214956 47132 zw3b.app. s9Av1iM1hK2o7J1O6fprT1E7KBsp4ddi4Tx31kUmI5ppPDmvyjVm5yDs O5OJyx8jOjCC/ifIWqQTDi0L3eussQ== ????? https://www.bortzmeyer.org/5155.html RFC 5155: DNSSEC Hashed Authenticated Denial of Existence ????? Updated: 2025-06-30 23:34:51 UTC https://dnsviz.net/d/zw3b.app/aGMfGw/dnssec/?rr=all&a=all&ds=all&doe=on&ta=.&tk= Errors (4) yv4xn.cdi5s.zw3b.app/A has errors; select the "Denial of existence" DNSSEC option to see them. zw3b.app/CDNSKEY has errors; select the "Denial of existence" DNSSEC option to see them. zw3b.app/CNAME has errors; select the "Denial of existence" DNSSEC option to see them. zw3b.app/CDS has errors; select the "Denial of existence" DNSSEC option to see them. # ----- root@gate:~ # dig ANY zw3b.app @dns.google ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> ANY zw3b.app @dns.google ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24940 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 21, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;zw3b.app. IN ANY ;; ANSWER SECTION: zw3b.app. 3600 IN SOA dns.lab3w.fr. hostmaster.lab3w.fr. 2025060402 300 60 420 60 zw3b.app. 3600 IN RRSIG SOA 13 2 3600 20250730214956 20250630214956 47132 zw3b.app. rhruDs5jZNR+l/plHY2vsxnb86408wgFB536SONIkPFimGPDShYZ7a4y Gj4NGb5N7EI+CrZmgH2NyVtY5dZr2Q== zw3b.app. 3600 IN NS ns2.ipv10.net. zw3b.app. 3600 IN NS ns1.ipv10.net. zw3b.app. 3600 IN RRSIG NS 13 2 3600 20250730214956 20250630214956 47132 zw3b.app. fCNeUQWbIKU519uTznFOIGmr5wVPMbic5MG+EN0/4xl48zKA0IcHMd0H PzDCOmCOS9sY4LG40mSczy+TAVOhyg== zw3b.app. 3600 IN A 158.69.126.137 zw3b.app. 3600 IN RRSIG A 13 2 3600 20250730214956 20250630214956 47132 zw3b.app. NND9wlSCF1uPjZ08zt7AUQKnVrpoIcxylMwA8V0WiMqfo1eZfaYSUpGC YhmznVTBiMMd8yQXF+4rws2/Nmn2aA== zw3b.app. 3600 IN MX 10 smtp.zw3b.app. zw3b.app. 3600 IN RRSIG MX 13 2 3600 20250730214956 20250630214956 47132 zw3b.app. 0Ly/iC/nBJ5hwHxxDDm7zQsP/u+eJuksZ9vfm39FXnf0dhat3rNlSjgw b/x9tQF6rgWLcGR5ByeG6iD3BRoymw== zw3b.app. 10800 IN TXT "v=spf1 ip4:158.69.126.137/32 ip6:2607:5300:60:9389:17:4c1:0:1a/124 ~all" zw3b.app. 10800 IN RRSIG TXT 13 2 10800 20250730214956 20250630214956 47132 zw3b.app. TCUgbL1cQRBvUvwUW22A5ORtyRsw5voonbA/AIWFhDbAhGsQ6H6pXf6g 4pn+sdjJorB+ceBgMDHMTGVoRglcHg== zw3b.app. 3600 IN AAAA 2607:5300:60:9389::1 zw3b.app. 3600 IN RRSIG AAAA 13 2 3600 20250730214956 20250630214956 47132 zw3b.app. 9iHbGzgiggLdEo6Xv0LqUlgj5e9JVDuxFmQLXZQwckbIFjvN/+i0PN1l iyuJ19wLFsoQZyvdwhtpqp1huT+hxA== zw3b.app. 3600 IN DNSKEY 257 3 13 6leXTZRyCwdRZYvvDgTiXvUEwFWl0wLwB5MB9aCW0yZAAnDl4CqynmBC pVkmkdvLwkwPHCe6aX9U0HJopLqv6w== zw3b.app. 3600 IN DNSKEY 256 3 13 xV3tEVdpzMIC+tpKM9TbZtqZKQTLo0g/SLQi9MJuUl+5vXBsOGqDNcBO z/MxYIuq7oqU4dy1ATJuO+As182eWg== zw3b.app. 3600 IN RRSIG DNSKEY 13 2 3600 20250730214956 20250630214956 39028 zw3b.app. x4giojYrcZoTD4QKEEPOiL9kl20K+4dgXl3oRsxR8aUuo6RCES7mdT/Q WZkKduEX0IQk/rRw7oF5JKiKiY1Ykg== zw3b.app. 3600 IN RRSIG DNSKEY 13 2 3600 20250730214956 20250630214956 47132 zw3b.app. pFYMEstT0didUfG1IW5WC9oN1VmCPL+YnR9SiuESVheEzO0a+U4iMyB5 6mRLk+EdIyaqUty8OLaOJGwYMq5hUA== zw3b.app. 0 IN NSEC3PARAM 1 0 0 876435C96D1CDA22 zw3b.app. 0 IN RRSIG NSEC3PARAM 13 2 0 20250730214956 20250630214956 47132 zw3b.app. K/SXG41lZs2llrsrjAIzM3+FeKVEluBnXROHBMURg+Lz2oHO9aaBNbTn KDpjCT8D92xp2oqiI9VIXconcFfVAA== zw3b.app. 10800 IN SPF "v=spf1 ip4:158.69.126.137/32 ip6:2607:5300:60:9389:17:4c1:0:1a/124 ~all" zw3b.app. 10800 IN RRSIG SPF 13 2 10800 20250730214956 20250630214956 47132 zw3b.app. 8CYpy+Nb3jc+ewPIVuNRlO6lm5mpEDVd/7a/kwlAd/uNDMen1Tz4LzYb VVbKr3lzznk0ZfPoWHmUUfu8cNMVLg== ;; Query time: 540 msec ;; SERVER: 2001:4860:4860::8888#53(dns.google) (TCP) ;; WHEN: Tue Jul 01 00:58:54 CEST 2025 ;; MSG SIZE rcvd: 1599 # ----- root@gate:~ # dig ANY zw3b.app +dnssec @dns.google ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> ANY zw3b.app +dnssec @dns.google ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40228 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 21, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;zw3b.app. IN ANY ;; ANSWER SECTION: zw3b.app. 3600 IN SOA dns.lab3w.fr. hostmaster.lab3w.fr. 2025060402 300 60 420 60 zw3b.app. 3600 IN RRSIG DNSKEY 13 2 3600 20250704230901 20250604230901 47132 zw3b.app. LFJbAjpnGXS3U5Lx8Y1g/AonaeNe4ZNrrO8zc2oxzoWDaS+zPg/EJCux TUA4D5IWyw7ZVoZ+ZeZNMFC5GEF01A== zw3b.app. 3600 IN RRSIG DNSKEY 13 2 3600 20250704230901 20250604230901 39028 zw3b.app. yYPXrV/nrIwA3imJB5IwxFwE5lyj0EZeq+7ASTjvDdyI+JtYrIE4lvdE 67S1zpGvUX2+Zadg3F4VezjSnLpRfw== zw3b.app. 3600 IN DNSKEY 257 3 13 6leXTZRyCwdRZYvvDgTiXvUEwFWl0wLwB5MB9aCW0yZAAnDl4CqynmBC pVkmkdvLwkwPHCe6aX9U0HJopLqv6w== zw3b.app. 3600 IN DNSKEY 256 3 13 xV3tEVdpzMIC+tpKM9TbZtqZKQTLo0g/SLQi9MJuUl+5vXBsOGqDNcBO z/MxYIuq7oqU4dy1ATJuO+As182eWg== zw3b.app. 3600 IN RRSIG AAAA 13 2 3600 20250704230901 20250604230901 47132 zw3b.app. DJgJCLrvN/7UOuDXXMafRPDhaf/GSoVy57BCuMtT8wV1x89w79VIVrLe BcyC6FVL9o8hOk+hGErAIUQXhmDSkQ== zw3b.app. 3600 IN AAAA 2607:5300:60:9389::1 zw3b.app. 10800 IN RRSIG TXT 13 2 10800 20250704230901 20250604230901 47132 zw3b.app. Ch7BHcnN1ldYmwBXmnB5qrA+izmn15mGJwdx81NR3yTPuy1dLsd2BBht 5QkH+9z5MYSvtwKOkYHUXll02jT+Xw== zw3b.app. 10800 IN TXT "v=spf1 ip4:158.69.126.137/32 ip6:2607:5300:60:9389:17:4c1:0:1a/124 ~all" zw3b.app. 3600 IN RRSIG MX 13 2 3600 20250704230901 20250604230901 47132 zw3b.app. bANn3hF2FQC43fzbH1pKtX0JrpMJ8CjnoQBY1RgggqEeHgGb5cYpPoJJ YigVJZccewgDyIIZv7mm6owHt1uoRQ== zw3b.app. 3600 IN MX 10 smtp.zw3b.app. zw3b.app. 3600 IN RRSIG A 13 2 3600 20250704230901 20250604230901 47132 zw3b.app. tTURQB2H5XFSwsq5xPF1Z2zwimqrch5hos2DnLUM6i63Wvq2mu+rLKI0 YEjtkUdjWlPMWtrLfG4HucmF7rbMPw== zw3b.app. 3600 IN A 158.69.126.137 zw3b.app. 3600 IN RRSIG NS 13 2 3600 20250704230901 20250604230901 47132 zw3b.app. 0lu9CZFKiSS9JwnU5oBzYjNsAD6zuR0ANyDMOhRcCZDjhwaOj2tYlfEi eJiTZLwdkiBFhtNL87yujE0EZ5lKZw== zw3b.app. 3600 IN NS ns1.ipv10.net. zw3b.app. 3600 IN NS ns2.ipv10.net. zw3b.app. 3600 IN RRSIG SOA 13 2 3600 20250704230901 20250604230901 47132 zw3b.app. Q4yK6igmJzLjYMGp1NuOZTH03mb1rM/Q6LFSFHtMHOvf2MrfgXYu72q4 kskfKYJjptWfDz7gZU4zDyYKlrj6Vg== zw3b.app. 10800 IN RRSIG SPF 13 2 10800 20250704230901 20250604230901 47132 zw3b.app. +sBaYA2MEWgdMLo4BwtXsEx0tQzhkN0+PbCNotv3mGs3gDJciVZ+z2O4 srt/sPmeljDtrszZIJXByBU+BdaMIw== zw3b.app. 10800 IN SPF "v=spf1 ip4:158.69.126.137/32 ip6:2607:5300:60:9389:17:4c1:0:1a/124 ~all" zw3b.app. 0 IN RRSIG NSEC3PARAM 13 2 0 20250704230901 20250604230901 47132 zw3b.app. 30rqfVvBZqv/iNlauVRJnizN/0oqZnL3Eeakebgf6SiRlw6n7xwMQnCR K7yqp65V4NZNu2vHLP6qSAjuJm18og== zw3b.app. 0 IN NSEC3PARAM 1 0 10 0802585BC0273018 ;; Query time: 440 msec ;; SERVER: 2001:4860:4860::8844#53(dns.google) (TCP) ;; WHEN: Tue Jul 01 01:40:46 CEST 2025 ;; MSG SIZE rcvd: 1599 # ------------------------------------------------------------------------------ # 20250604 --> 20250704 zw3b.app. 0 IN NSEC3PARAM 1 0 10 0802585BC0273018 zw3b.app. 0 IN RRSIG NSEC3PARAM 13 2 0 20250704230901 20250604230901 47132 zw3b.app. 30rqfVvBZqv/iNlauVRJnizN/0oqZnL3Eeakebgf6SiRlw6n7xwMQnCR K7yqp65V4NZNu2vHLP6qSAjuJm18og== # 20250605 --> 20250705 zw3b.app. 0 IN NSEC3PARAM 1 0 0 8A42593B218B51D5 zw3b.app. 0 IN RRSIG NSEC3PARAM 13 2 0 20250705001251 20250605001251 47132 zw3b.app. CtplT/gELWrUaA0aQfC0h50ohb4JwK+DxV4Dzsig+OGLvjq/sR97DpkE qiZTwxKkua9zEhL8APlAqQ19W7W9pQ== # 20250630 --> 20250730 zw3b.app. 0 IN NSEC3PARAM 1 0 0 876435C96D1CDA22 zw3b.app. 0 IN RRSIG NSEC3PARAM 13 2 0 20250730214956 20250630214956 47132 zw3b.app. K/SXG41lZs2llrsrjAIzM3+FeKVEluBnXROHBMURg+Lz2oHO9aaBNbTn KDpjCT8D92xp2oqiI9VIXconcFfVAA== # 20250701 --> 20250731 zw3b.app. 0 IN NSEC3PARAM 1 0 0 - zw3b.app. 0 IN RRSIG NSEC3PARAM 13 2 0 20250731013215 20250701013215 47132 zw3b.app. /xB5gI0JvErGqi2SRDImt2COxil4I4qv24Pnjufgtx1ea6vk02sAGyaA TWZ/bxVClxrDANogWxOT1s7oEDT2Xw== # ------------------------------------------------------------------------------ # ------------------------------------------ # root@gate:~ # dig ANY zw3b.app +dnssec @dns.google ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> ANY zw3b.app +dnssec @dns.google ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39501 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 21, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;zw3b.app. IN ANY ;; ANSWER SECTION: zw3b.app. 3600 IN SOA dns.lab3w.fr. hostmaster.lab3w.fr. 2025060402 300 60 420 60 zw3b.app. 3600 IN RRSIG SOA 13 2 3600 20250731013215 20250701013215 47132 zw3b.app. rHimtepTKDXt1IEGqe1oZh7fFGiHVwmoF7lnSlWsZnh25UzhijcWzXdQ D1orI8YMGKM9rbdUM4gJ2w6dTK6opw== zw3b.app. 3600 IN NS ns2.ipv10.net. zw3b.app. 3600 IN NS ns1.ipv10.net. zw3b.app. 3600 IN RRSIG NS 13 2 3600 20250731013215 20250701013215 47132 zw3b.app. LfLeF4hOhHSqPqRH7lpEVl3e1DeqHG7cOiBrN/Ogut5Mp+1lH5O6fcET FdqwnVwYytFLJTFV9vBxQcWgVwILYQ== zw3b.app. 3600 IN A 158.69.126.137 zw3b.app. 3600 IN RRSIG A 13 2 3600 20250731013215 20250701013215 47132 zw3b.app. 18gVm2FgyR3pQLAaUhAm1iSR3pT1w45OFjdlLTg7GLFFWOy0O+uO+BeA n82G6WY2lR2eaQQKliicXbG/JxCvRQ== zw3b.app. 3600 IN MX 10 smtp.zw3b.app. zw3b.app. 3600 IN RRSIG MX 13 2 3600 20250731013215 20250701013215 47132 zw3b.app. W/+aRnAhoHac5ra8HYaGzdAuAaGglcO6P5lprGLm9T+6Uzcq4Fdo6dwh jionbvj6/M0I1Gf/Aio2wNXJuRVZxQ== zw3b.app. 10800 IN TXT "v=spf1 ip4:158.69.126.137/32 ip6:2607:5300:60:9389:17:4c1:0:1a/124 ~all" zw3b.app. 10800 IN RRSIG TXT 13 2 10800 20250731013215 20250701013215 47132 zw3b.app. rjhzEGh1vgiM9V0qrSXm0d/VCr3r8jD/knJQhUVh8Sf9mx2uYRL09bot NarBjAB7VHnPqM4+CdNaR8NZqJxIBA== zw3b.app. 3600 IN AAAA 2607:5300:60:9389::1 zw3b.app. 3600 IN RRSIG AAAA 13 2 3600 20250731013215 20250701013215 47132 zw3b.app. Po5qC8VfGKsxNpd/fJTbBPxvFRGYrA6N/pA/MO+VWSYUCkr09bmDhiNV yDDy40fE/lgOMQtQ8z9XlqXH3pExqA== zw3b.app. 3600 IN DNSKEY 257 3 13 6leXTZRyCwdRZYvvDgTiXvUEwFWl0wLwB5MB9aCW0yZAAnDl4CqynmBC pVkmkdvLwkwPHCe6aX9U0HJopLqv6w== zw3b.app. 3600 IN DNSKEY 256 3 13 xV3tEVdpzMIC+tpKM9TbZtqZKQTLo0g/SLQi9MJuUl+5vXBsOGqDNcBO z/MxYIuq7oqU4dy1ATJuO+As182eWg== zw3b.app. 3600 IN RRSIG DNSKEY 13 2 3600 20250731013215 20250701013215 47132 zw3b.app. Iuhkq9gW9X9BhczylN7hKE8PIr96soETPKczboCX5gRxCLCHBPKEIFte 00ae1V7WnMglCmmfmI8j2rC3CAq7qQ== zw3b.app. 3600 IN RRSIG DNSKEY 13 2 3600 20250731013215 20250701013215 39028 zw3b.app. 6vtLDY4RJ3PTb73WaKzwDdtzIAbxqwTA1zb3cyrrI2fMGM298s+IyQQ4 1qeLtw5nv7ZVCMRrsHWJdVJhUflZfg== zw3b.app. 0 IN NSEC3PARAM 1 0 0 - zw3b.app. 0 IN RRSIG NSEC3PARAM 13 2 0 20250731013215 20250701013215 47132 zw3b.app. /xB5gI0JvErGqi2SRDImt2COxil4I4qv24Pnjufgtx1ea6vk02sAGyaA TWZ/bxVClxrDANogWxOT1s7oEDT2Xw== zw3b.app. 10800 IN SPF "v=spf1 ip4:158.69.126.137/32 ip6:2607:5300:60:9389:17:4c1:0:1a/124 ~all" zw3b.app. 10800 IN RRSIG SPF 13 2 10800 20250731013215 20250701013215 47132 zw3b.app. AHlZ5vbI86u6p/lwt8MjLw0BjjRHXcNPlnWSMml09ofH/aQQG0CdPg/p Hr4RTNJ8xKUz0HgnxmStEEIMhd8tSw== ;; Query time: 468 msec ;; SERVER: 2001:4860:4860::8844#53(dns.google) (TCP) ;; WHEN: Tue Jul 01 05:44:08 CEST 2025 ;; MSG SIZE rcvd: 1591 # Check if for the DNSKEY record using dig on the same server. root@gate:~ # dig DNSKEY zw3b.app. @dns.google +multiline ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> DNSKEY zw3b.app. @dns.google +multiline ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7675 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;zw3b.app. IN DNSKEY ;; ANSWER SECTION: zw3b.app. 3600 IN DNSKEY 257 3 13 ( 6leXTZRyCwdRZYvvDgTiXvUEwFWl0wLwB5MB9aCW0yZA AnDl4CqynmBCpVkmkdvLwkwPHCe6aX9U0HJopLqv6w== ) ; KSK; alg = ECDSAP256SHA256 ; key id = 39028 zw3b.app. 3600 IN DNSKEY 256 3 13 ( xV3tEVdpzMIC+tpKM9TbZtqZKQTLo0g/SLQi9MJuUl+5 vXBsOGqDNcBOz/MxYIuq7oqU4dy1ATJuO+As182eWg== ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 47132 ;; Query time: 168 msec ;; SERVER: 2001:4860:4860::8888#53(dns.google) (UDP) ;; WHEN: Tue Jul 01 05:47:28 CEST 2025 ;; MSG SIZE rcvd: 197 # Check for the presence of RRSIG records. root@gate:~ # dig A zw3b.app. @dns.google +noadditional +dnssec +multiline ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> A zw3b.app. @dns.google +noadditional +dnssec +multiline ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53363 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;zw3b.app. IN A ;; ANSWER SECTION: zw3b.app. 3600 IN A 158.69.126.137 zw3b.app. 3600 IN RRSIG A 13 2 3600 ( 20250731013215 20250701013215 47132 zw3b.app. 18gVm2FgyR3pQLAaUhAm1iSR3pT1w45OFjdlLTg7GLFF WOy0O+uO+BeAn82G6WY2lR2eaQQKliicXbG/JxCvRQ== ) ;; Query time: 332 msec ;; SERVER: 2001:4860:4860::8888#53(dns.google) (UDP) ;; WHEN: Tue Jul 01 05:48:07 CEST 2025 ;; MSG SIZE rcvd: 157 # Afficher les DS : Delegation Signer root@gate:~ # dig +trace +noadditional DS zw3b.app. @dns.google ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> +trace +noadditional DS zw3b.app. @dns.google ;; global options: +cmd . 87203 IN NS j.root-servers.net. . 87203 IN NS i.root-servers.net. . 87203 IN NS k.root-servers.net. . 87203 IN NS g.root-servers.net. . 87203 IN NS b.root-servers.net. . 87203 IN NS d.root-servers.net. . 87203 IN NS c.root-servers.net. . 87203 IN NS m.root-servers.net. . 87203 IN NS e.root-servers.net. . 87203 IN NS f.root-servers.net. . 87203 IN NS a.root-servers.net. . 87203 IN NS l.root-servers.net. . 87203 IN NS h.root-servers.net. . 87203 IN RRSIG NS 8 0 518400 20250713170000 20250630160000 53148 . F5VWx/WSeDHePd6EPBrbWIgCMzUu7qWfQLVPYUKKkS20Q3RGvt+aT18U j+CLqBizgcDgpThikC8dDV/IHPTj3YANGn2ZN8lt4MdOHimpeRaitF9K yo/26vRDEYOWDHXRxqlxoMOPd/JsDpK3xkD4MPRBnFKK+Kl/U5WzrYIg E6XARCdJzJL4Y+Yoq6yLPRjTz0BCDknMK3mzakkfxvsTLC+EtU8vND3k gvj62lzxzcEna3G75RCWAFB79z+mkirwNorrUpLMqCkClSdbArvbh0be 3W80FYg6A/QJvc3tCGIdRTMhMUW5blqIYX5vO9go+k3NzgBG0ZkTw1lW ppm3/A== ;; Received 525 bytes from 2001:4860:4860::8888#53(dns.google) in 12 ms app. 172800 IN NS ns-tld1.charlestonroadregistry.com. app. 172800 IN NS ns-tld2.charlestonroadregistry.com. app. 172800 IN NS ns-tld3.charlestonroadregistry.com. app. 172800 IN NS ns-tld4.charlestonroadregistry.com. app. 172800 IN NS ns-tld5.charlestonroadregistry.com. app. 86400 IN DS 23684 8 2 3A5CC8A31E02C94ABA6461912FABB7E9F5E34957BB6114A55A864D96 AEC31836 app. 86400 IN RRSIG DS 8 1 86400 20250713170000 20250630160000 53148 . C04Re2JyyQxEi8C8eqBQmGG/rWHfGezgMQSLkH3kaDhLGYLtozUCXITR ZBrOQLfpRhtYpHfs0O4+k5snmDy8yLFKFGGjYA2Mv1Gj43KKJpjdfNOV gmy7eMUNH7xiOk2KdZxNSEZSZhumPHkvKePkVbqzFaOoqtB+GpNu1yNE n+8Y6CnODVy4+Mj3DGdBiWfmJUHGQOIWAHvWefwlCZz7FTm5vUOLWEwp YPOQTDeHPaA7xDjFLKVqy8nzbehqVd+rGgfmbHnPdaaOTkKtfEKlrWtM NbQ0/8Yd6E5pmxDMqVA6zaoqCuF7t8EfW3Q07yLhNNN1FzgJI8zDSstm B/Pg3A== ;; Received 728 bytes from 192.58.128.30#53(j.root-servers.net) in 12 ms zw3b.app. 1800 IN DS 47132 13 2 4BEC9D1881C4E242EA6E2568A23902BAD941A23E184EC5EB98A9B731 4993C4FD zw3b.app. 1800 IN DS 39028 13 2 576972AE44C607058D1A795BAF20A76942BEAF6691F7AD9752E746A8 0144A0AA zw3b.app. 1800 IN RRSIG DS 8 2 1800 20250718144244 20250626144244 17620 app. VDe2VOrziqvgKDy7QKMlnV7AatUfVpsc36SmjM8wI/6Y7VHdzbNJFMXv MSefhYcWE3DEh7b+moExuOQyw8GFYx1kUiAUrM0jFy3XUoMx6JgJvVG1 uVFFormoJr9V84Znf7IxJhmQK6C4EAt9q+7NhntJzGgq8+5xJWctFkSn Yiw= ;; Received 329 bytes from 2001:4860:4805::69#53(ns-tld5.charlestonroadregistry.com) in 116 ms # Afficher les DS : Delegation Signer root@gate:~ # dig +trace +noadditional DS zw3b.app. @dns.google | grep DS ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> +trace +noadditional DS zw3b.app. @dns.google app. 86400 IN DS 23684 8 2 3A5CC8A31E02C94ABA6461912FABB7E9F5E34957BB6114A55A864D96 AEC31836 app. 86400 IN RRSIG DS 8 1 86400 20250713170000 20250630160000 53148 . C04Re2JyyQxEi8C8eqBQmGG/rWHfGezgMQSLkH3kaDhLGYLtozUCXITR ZBrOQLfpRhtYpHfs0O4+k5snmDy8yLFKFGGjYA2Mv1Gj43KKJpjdfNOV gmy7eMUNH7xiOk2KdZxNSEZSZhumPHkvKePkVbqzFaOoqtB+GpNu1yNE n+8Y6CnODVy4+Mj3DGdBiWfmJUHGQOIWAHvWefwlCZz7FTm5vUOLWEwp YPOQTDeHPaA7xDjFLKVqy8nzbehqVd+rGgfmbHnPdaaOTkKtfEKlrWtM NbQ0/8Yd6E5pmxDMqVA6zaoqCuF7t8EfW3Q07yLhNNN1FzgJI8zDSstm B/Pg3A== zw3b.app. 1800 IN DS 47132 13 2 4BEC9D1881C4E242EA6E2568A23902BAD941A23E184EC5EB98A9B731 4993C4FD zw3b.app. 1800 IN DS 39028 13 2 576972AE44C607058D1A795BAF20A76942BEAF6691F7AD9752E746A8 0144A0AA zw3b.app. 1800 IN RRSIG DS 8 2 1800 20250718144244 20250626144244 17620 app. VDe2VOrziqvgKDy7QKMlnV7AatUfVpsc36SmjM8wI/6Y7VHdzbNJFMXv MSefhYcWE3DEh7b+moExuOQyw8GFYx1kUiAUrM0jFy3XUoMx6JgJvVG1 uVFFormoJr9V84Znf7IxJhmQK6C4EAt9q+7NhntJzGgq8+5xJWctFkSn Yiw= # ---------------------- # https://www.osso.nl/blog/2022/dnssec-validation-authoritative-server/ # dnssec validation / authoritative server root@lb1.dns:~ # delv -t A @dns.google zw3b.app. +rtrace ;; fetch: dns.google/A ;; fetch: dns.google/AAAA ;; fetch: zw3b.app/A ;; fetch: zw3b.app/DNSKEY ;; fetch: zw3b.app/DS ;; fetch: app/DNSKEY ;; fetch: app/DS ;; fetch: ./DNSKEY ; fully validated zw3b.app. 3600 IN A 158.69.126.137 zw3b.app. 3600 IN RRSIG A 13 2 3600 20250731013215 20250701013215 47132 zw3b.app. 18gVm2FgyR3pQLAaUhAm1iSR3pT1w45OFjdlLTg7GLFFWOy0O+uO+BeA n82G6WY2lR2eaQQKliicXbG/JxCvRQ== root@lb1.dns:~ # delv -t A @dns.google fail01.zw3b.app. +rtrace ;; fetch: dns.google/A ;; fetch: dns.google/AAAA ;; fetch: fail01.zw3b.app/A ;; fetch: zw3b.app/DNSKEY ;; fetch: zw3b.app/DS ;; fetch: app/DNSKEY ;; fetch: app/DS ;; fetch: ./DNSKEY ;; fetch: web.zw3b.app/A ; unsigned answer fail01.zw3b.app. 60 IN CNAME web.zw3b.app. fail01.zw3b.app. 60 IN RRSIG CNAME 13 2 3600 20250731013215 20250701013215 47132 zw3b.app. s8ifKq7R4ZSefU5h5Nym5+Vli+LDp/NF7xisOZBqUI9duCh+cisICvI0 A7OQbxiKWJcwtKklYd3nS5DYm9378g== ; fully validated web.zw3b.app. 3600 IN A 57.128.171.43 web.zw3b.app. 3600 IN A 90.5.102.244 web.zw3b.app. 3600 IN A 135.125.133.51 web.zw3b.app. 3600 IN A 139.99.171.39 web.zw3b.app. 3600 IN A 158.69.126.137 web.zw3b.app. 3600 IN RRSIG A 13 3 3600 20250731013215 20250701013215 47132 zw3b.app. drR8858CWnD+leEN+YyJTi4nQhlyRUs6OQnDapBKK9CsDoiToQJeDECQ qlZ7vFZlmujHV4NTFrj2+fp+C2ZX9w==