DLV dnssec setup

Wolfgang Rosenauer wrosenauer at gmail.com
Thu Jul 10 10:53:43 UTC 2014 

Hi,

I'm pretty much new to DNSSEC and try to deploy my first bind to
support it correctly.
My bind version is 9.9.4P2 and what I did is the following just to
allow DNSSEC verification (no zone management yet):

        dnssec-enable yes;
        dnssec-validation auto;
        dnssec-lookaside . trust-anchor dlv.isc.org.;
        managed-keys-directory "/var/lib/named/dyn/";

managed-keys {
        # ISC DLV: See https://www.isc.org/solutions/dlv for details.
        # NOTE: This key is activated by setting "dnssec-lookaside auto;"
        # in named.conf.
        dlv.isc.org. initial-key 257 3 5
"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
                brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
                1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
                ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
                Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
                QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
                TDN0YUuWrBNh";

        # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
        # for current trust anchor information.
        # NOTE: This key is activated by setting "dnssec-validation auto;"
        # in named.conf.
        . initial-key 257 3 8
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
                FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
                bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
                X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
                W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
                Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
                QxA+Uk1ihz0=";
};

I get strange behaviour which I cannot explain though:

bind startup shows
2014-07-10T12:43:52.621536+02:00 s15418965 named[29093]: using
built-in root key for view _default
2014-07-10T12:43:52.622344+02:00 s15418965 named[29093]: set up
managed keys zone for view _default, file
'/var/lib/named/dyn//managed-keys.bind'
[...]
2014-07-10T12:43:52.684928+02:00 s15418965 named[29093]:
managed-keys-zone: journal file is out of date: removing journal file
2014-07-10T12:43:52.685668+02:00 s15418965 named[29093]:
managed-keys-zone: loaded serial 31

Afterwards I see:
s15418965:/var/lib/named/log # dig @127.0.0.1 www.isc.org

; <<>> DiG 9.9.4-rpz2.13269.14-P2 <<>> @127.0.0.1 www.isc.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 59813
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.isc.org.                   IN      A

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jul 10 12:48:57 CEST 2014
;; MSG SIZE  rcvd: 40

10-Jul-2014 12:48:47.466 dnssec: debug 3: validating @0x7f48140012e0:
. NS: starting
10-Jul-2014 12:48:47.466 dnssec: debug 3: validating @0x7f48140012e0:
. NS: attempting positive response validation
10-Jul-2014 12:48:47.483 dnssec: debug 3: validating @0x7f480c00c920:
. DNSKEY: starting
10-Jul-2014 12:48:47.483 dnssec: debug 3: validating @0x7f480c00c920:
. DNSKEY: attempting positive response validation
10-Jul-2014 12:48:47.484 dnssec: debug 3: validating @0x7f480c00c920:
. DNSKEY: verify rdataset (keyid=19036): success
10-Jul-2014 12:48:47.484 dnssec: debug 3: validating @0x7f480c00c920:
. DNSKEY: signed by trusted key; marking as secure
10-Jul-2014 12:48:47.484 dnssec: debug 3: validator @0x7f480c00c920:
dns_validator_destroy
10-Jul-2014 12:48:47.484 dnssec: debug 3: validating @0x7f48140012e0:
. NS: in fetch_callback_validator
10-Jul-2014 12:48:47.484 dnssec: debug 3: validating @0x7f48140012e0:
. NS: keyset with trust secure
10-Jul-2014 12:48:47.484 dnssec: debug 3: validating @0x7f48140012e0:
. NS: resuming validate
10-Jul-2014 12:48:47.484 dnssec: debug 3: validating @0x7f48140012e0:
. NS: verify rdataset (keyid=8230): success
10-Jul-2014 12:48:47.484 dnssec: debug 3: validating @0x7f48140012e0:
. NS: marking as secure, noqname proof not needed
10-Jul-2014 12:48:47.484 dnssec: debug 3: validator @0x7f48140012e0:
dns_validator_destroy

but also some working ones:

s15418965:/var/lib/named/log # dig @127.0.0.1 www.mailbox.org

; <<>> DiG 9.9.4-rpz2.13269.14-P2 <<>> @127.0.0.1 www.mailbox.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40561
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.mailbox.org.               IN      A

;; ANSWER SECTION:
www.mailbox.org.        900     IN      A       80.241.60.194

;; AUTHORITY SECTION:
mailbox.org.            900     IN      NS      ns2.jpberlin.de.
mailbox.org.            900     IN      NS      ns.jpberlin.de.

;; ADDITIONAL SECTION:
ns.jpberlin.de.         86400   IN      A       213.203.238.4
ns.jpberlin.de.         1800    IN      AAAA    2001:67c:2050:1::53:1
ns2.jpberlin.de.        86400   IN      A       194.150.191.56
ns2.jpberlin.de.        1800    IN      AAAA    2001:67c:14c:12f::56:2

;; Query time: 487 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jul 10 12:52:17 CEST 2014
;; MSG SIZE  rcvd: 194


Probably I miss some basic understanding but I'm confused about the
above behaviour.

Any explanations?


Thanks,
 Wolfgang

More information about the bind-users mailing list