# DNSSEC and PTR



## Gwendou (May 23, 2011)

Hie,

First, I'm so sorry for my English but I'm French. I have a problem with dnssec. I have created my signed zone, but when I use it, PTR records don't do their job.

 [CMD=""]nslookup dns[/CMD]
works but 
 [CMD=""]nslookup 192.168.0.1[/CMD]
doesn't work.

Can you help me, please ?

Cordially

Gwendou


----------



## SirDice (May 23, 2011)

Did you actually create a reverse zone?


----------



## Gwendou (May 23, 2011)

In my zone file there is A and PTR records, so I thinks it create the reverse zone in the same time


----------



## SirDice (May 23, 2011)

Which DNS server? It's not for BIND, you'll need a forward and a (seperate) reverse zone.


----------



## Gwendou (May 23, 2011)

I use Bind in netkit and I tried to create two differents files, but the reverse signed file couldn't be generated: it says that it doesn't know PTR.


----------



## SirDice (May 23, 2011)

So, some script generates error when it tries to create the reverse zone and you're wondering why it doesn't work?

What's the script? How are you creating your zones? Post your configuration so we can have a look.


----------



## Gwendou (May 23, 2011)

To use one file for normal and reverse dns I give the same file in ZONE 
	
	



```
"my_zone" IN { file "my_file"}
```
 and in ZONE 
	
	



```
"X.X.X.in-addr.arpa" IN { file "my_file"}
```


----------



## SirDice (May 23, 2011)

Split them up. They're not supposed to be in one file.


----------



## Gwendou (May 23, 2011)

That's what I do


```
dnssec-keygen -r /dev/urandom -a RSASHA1 -b 1024 -n ZONE network
dnssec-keygen -r /dev/urandom -a RSASHA1 -b 1024 -n ZONE network
dnssec-keygen -r /dev/urandom -a RSASHA1 -b 2048 -n ZONE -f KSK network //09064

//Add this in network
	;; ksk
	$INCLUDE /etc/bind/KSK.key
	;; current zsk
	$INCLUDE /etc/bind/ZSK-cur.key
	;; published zsk
	$INCLUDE /etc/bind/ZSK-pub.key

//generate signed zone file
dnssec-signzone -k KSK.key -o network -e +2592000 db.network ZSK-cur.key

//verify the zone signed file
named-checkzone network db.network.signed

//modify named.conf
//add to options of named.conf
	dnssec-enable yes;
	dnssec-validation yes;

//modify zone in named.conf
	file "/etc/bind/network"		==> file "/etc/bind/network.signed"

//reload the zone
rndc reload network
```


----------



## Gwendou (May 23, 2011)

My named.conf file


```
options {
        directory "/var/cache/bind";
	dnssec-enable yes;
	dnssec-validation yes;
};

zone "localhost" IN {
        type master;
        file "/etc/bind/db.local";
        allow-update { none; };
};

zone "network" IN {
        type master;
        file "/etc/bind/network.signed";
	allow-query{192.168.0.0/24;};

};

zone "0.168.192.in-addr.arpa" {
        type master;
        file "/etc/bind/network.signed";
	allow-query{192.168.0.0/24;};
};
```


----------



## SirDice (May 23, 2011)

Use separate files for the zones.


----------



## Gwendou (May 23, 2011)

I try this and say results after


----------



## Gwendou (May 23, 2011)

Must I create KSK and ZSK for normal and reverse DNS?


----------



## Gwendou (May 23, 2011)

I have created 2 ZSK and 1 KSK for the files db.network and db.reverse.network. I have generated db.network.signed and db.reverse.network.signed, and the normal dns works but not reverse dns. There is nothing changed.


----------



## SirDice (May 24, 2011)

Turn off DNSSEC for a second and make sure everything works before adding it.


----------

