stub zone and dnssec processing fails?
Paul Wouters
paul at xelerance.com
Thu Oct 1 15:04:57 UTC 2009
Hi,
I've been trying to configure bind to use a stub zone, for which I
have keys configured. When I do this, I see a ServFail, with the
logs pointing to:
01-Oct-2009 11:00:03.053 lame-servers: info: not insecure resolving 'xelerance.ca/DNSKEY/IN': 193.110.157.135#53
When I disable the trusted-keys {} for this zone, the resolving
works, but then it seems to ignore the stub and go out via the
regular path
Enabling/disabling DLV did not make a difference. The relevant parts of
the named.conf:
options {
dnssec-enable yes;
dnssec-validation yes;
// dnssec-lookaside . trust-anchor dlv.isc.org.;
recursion yes;
};
zone "ca." IN {
type stub;
masters { 192.228.22.190; 192.228.22.189; };
};
trusted-keys {
"ca." 257 3 7 "AwEAAbTcBX0/Z6uh4gUFmPhNMExALpP8eVy+KyHQ3IY8z/XlDoRVoe2Cv0IXBWp
MFme3sQpAEGg9Ps1+lYXpn2zO0BfpcED2nVlZ9KFBwh1MuEHvaAAkYKZtT/aqOIDJftRdmU8ClFZgaeJ
c8Scvf5boGczVvG/ZdbDpHVM73x6a4rQqjTDlgwSaNU+/vimOWii5d4lWBxUDQKsqkQ27UGqyGtYQxNY
giRGx80phZkmhxOnSwfXIG/RJa0Hl6CtlsG3klywJ+7NAZM/n8Y0TQqjOHudC0SedXSCmQ0C/Ds0QX5M
7c/S7alVBYsOdHhJF05MaIA5ij0thAmuvJUW7ofqO5ec=" ; // key id = 46215
};
Paul
More information about the bind-users
mailing list