authenticated DNSSEC responses
Suresh Krishnaswamy
suresh at ittc.ukans.edu
Tue Apr 24 01:57:57 UTC 2001
Dear Folks,
I sent out this mail some while back without any response.
I will sincerely appreciate any help received on this query.
Regards,
Suresh
-------------------------------------------------------------------------
I am trying to use the lwres_getrrsetbyname function to get authenticated
responses from my DNS server (BIND 9.1, RH6.2). I have been checking for
the authenticity based on the (rrsetinfo *)->rri_flags having the
RRSET_VALIDATED bit set. For some reason however, this bit continues to
remain OFF.
I have proceeded as follows:
1. generated the keys for my zone using:
dnssec-keygen -a DSA -b 640 -n ZONE my.zone.
2. included the public key file in the zone file:
$INCLUDE Kmy.zone.+003+07629.key
3. signed the zone file using
dnssec-signzone -a -p -o my.zone. zone_file Kmy.zone.+003+07629.private
4. Modified /etc/named.conf to refer to zone_file.signed as the zone file
5. added the trusted-keys declarative corresponding to the public key of
my zone:
trusted-keys {
"my.zone." 256 3 3
"ApA98dbN1AK1di+OdTyWsXbF/+JZ8IlxtVqruDQa8IzzcohRvSPDrxkM
zP7rGF1e+4LDdH5ixO451PbIGmVXDNBuPOn/tuwC/UNSLEpkTNZOokFV
02lzHlvTGBCE613MoFLtnx0n7aBq/K6eY93lCQVnrnyajsAcAEjNrcGy
7zBPCNX9ZaZX/gBw7nqRF41dOwcJ4wEQjQWqZvMtx8VvczyrVKBpRM3r
4wqPXfBhd3h+lpdAunDjjbHxnOurmyW6taemSxAn6aidK+OZX1WctpXo
Mc4Km/QPAog2h2dEEDu5V1nf5WUFWkqfgFzUjZ6QmNt1mYTx5GojPCAv hNMu70OSwjUt" ;
};
The res value returned contains the correct data and signature pairs but
the RRSET_VALIDATED flag continues to remain OFF. Am I correct in my
interpretation of the RRSET_VALIDATED bit?
More information about the bind-users
mailing list