Again: Bind 9 DNSSEC logging

[Jim Reid]

>>>>> "johann" == johann kraus <johann.kraus at vodafone-telecommerce.de> writes:

    johann> I tested the functionality of the log file. The log file
    johann> is accessable by the name server. The name server has
    johann> write permission too. The logging statement on the same
    johann> file with the "category queries" works very well.

You didn't say if the name server had the dnssec log file open, but
let's assume it does.

    johann> Is there a problem with my DNSSEC configuration:

I couldn't see anything wrong with it in my admittedly cursory
glance. [The key{} and server{} statements seem pointless since
nothing seems to use them. Oh well.] And hiding the actual output
and named.,conf files isn't helpful: don't do this.

However nothing you showed would appear to make the server generate
DNSSEC logs. Try using TSIG on zone transfers and watch the server
validate them. Keep things simple: get TSIG logging to work first,
then worry about logging SIG and KEY checking. Signing a zone and
giving it to a slave server won't create DNSSEC logs (unless you have
TSIG on the zone transfers). A BIND9 server will validate SIG records
when it encounters them when resolving. It does not validate SIGs in
any secure zones when it loads them. [Ultimately the server has to
trust the filesystem for the SIGs and KEYs, so why validate them when
they're already on the local file system?] You'll probably need to set
up a recursive server with a suitable trusted-keys{} statement which
queries an authoritative server for the signed zone. This setup should
generate DNSSEC logs with an appropriate logging{} statement.