Unable to get authenticated negative responses from BIND 9.6.0 w/ NSEC3?
Johan Ihren
johani at johani.org
Fri Jan 9 10:58:12 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I realise this just has to be a user error, but sofar I've been
completely unsuccessful in getting an authenticated response from a
9.6.0 recursive server with trusted keys correctly configured.
I've done this:
* Signed the zones:
"parent" is signed with NSEC semantics, key algorithm is RSASHA1
"child1.parent" is signed with NSEC, key algorithm is RSASHA1
"child2.parent" is signed with NSEC3, key algorithm is NSEC3RSASHA1
* Created the secure delegations:
the DS records for child1.parent and child2.parent both use the
correct algorithm numbers (5 and 7 respectively)
* Configured a trusted key for "parent" in a recursive server:
The trusted key is correctly configured, because I'm able to validate
positive responses from all three zones (which also proves that the
delegations are correctly secured via the DS records). I'm also able
to validate negative responses from "parent" and "child1.parent".
And, yes, I have "dnssec-enable yes; dnssec-validation yes;" in
relevant places.
But I fail to validate the interesting case, i.e. a negative response
from child2.parent containing NSEC3 records as the proof. I get the
response, with all the NSEC3s and their RRSIGs. But no AD bit.
Anyone done this recently who can give me a suggestion to where I may
go wrong?
Johan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iD8DBQFJZy3KKJmr+nqSTbYRAgR9AKCioFf7n+IZmKfH0qenvlZnnh6FpQCeLl0e
w3pw5x1lyPwkJnM3iRGjiP4=
=tnBX
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list