dnssec validation issue
Mark Andrews
marka at isc.org
Fri Jun 19 01:10:28 UTC 2015
In message <1434674101.18744.119.camel at ns.five-ten-sg.com>, Carl Byington write
s:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I have multiple centos6 boxes running 9.10.2-P1, and almost everything
> looks good. However, one box seems to not be doing dnssec validation. It
> is possible that this behavior predates the latest updates and I just
> never noticed it.
>
> A and B have essentially identical configuration, except that A is the
> master for some zones, and B is the slave pulling from A. Other than
> that, the /etc/named.conf is identical. A also has ipv6 connectivity,
> and B does not. The authoritative side works nicely on both. The
> recursive resolver is where the difference shows up.
>
> On A:
>
> dig www.dnssec-failed.org @localhost
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19813
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 11
> ;; ANSWER SECTION:
> www.dnssec-failed.org. 7178 IN A 68.87.109.242
> www.dnssec-failed.org. 7178 IN A 69.252.193.191
>
>
>
> On B:
> dig www.dnssec-failed.org @localhost
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4969
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
You don't have any trust anchors active.
To use the keys in "/etc/named.iscdlv.key" set "dnssec-validation auto;"
> /etc/named.conf:
>
> options {
> directory "/var/named";
> allow-recursion { "friends"; };
> dnssec-enable yes;
> dnssec-validation yes;
> bindkeys-file "/etc/named.iscdlv.key";
> managed-keys-directory "/var/named/dynamic";
> listen-on-v6 {any;};
> ixfr-from-differences yes;
> max-journal-size 2m;
> notify yes;
> response-policy { zone "rpz.five-ten-sg.com";}
> qname-wait-recurse no;
> filter-aaaa-on-v4 yes;
> filter-aaaa { "brokenv6"; };
> rate-limit {
> responses-per-second 5;
> errors-per-second 5;
> nxdomains-per-second 40;
> qps-scale 300;
> exempt-clients { "friends"; };
> };
> };
>
>
> A is neither master nor slave for dnssec-failed.org, and that domain is
> not mentioned in the rpz zone.
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
>
> iEYEARECAAYFAlWDYtAACgkQL6j7milTFsHClQCeLKkTuQYlM4liB0UECG5Z4pui
> ujMAnj4wnUWqJj258pIlUFo0IONtkkEP
> =/QDW
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list