Bug in Bind 9.8 or am I doing something wrong?

Tue Sep 6 13:56:06 UTC 2011

I was following Mark Andrew's discussion with a user about DNSSEC and 
played with it here and found an issue.  Not sure if I am doing 
something wrong or if there is a bug somewhere.

We have a Windows AD domain and use Bind 9.8 on our Linux servers for 
most DNS resolution.  In order to politely setup things, I forwarded the 
queries for AD zones to the Windows server:

zone "chaseprod.local"{
	type forward;
	forwarders {10.0.100.205;};};

This seemed to work until I added some stuff for DNSSEC to my named.conf.

In the global option section, I have:

	dnssec-enable yes;
	dnssec-validation auto;
	dnssec-lookaside auto;

And as a general option, I added:

include "/etc/bind.keys";

Under Bind 9.8.0-P4 and Bind 9.8.1 (compiled from source with no special 
options under SLES 10), resolution of a valid record in the forwarded 
zone fails when I added the above dnssec options:

; <<>> DiG 9.8.0-P4 <<>> @127.0.0.1 chasew8s1.corp.chaseprod.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58140
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;chasew8s1.corp.chaseprod.local.	IN	A

;; AUTHORITY SECTION:
.			10794	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2011090600 
1800 900 604800 86400

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep  6 08:43:25 2011
;; MSG SIZE  rcvd: 123

If I comment out dnssec-validation auto and the include for bind.keys, 
the resolution for the forwarded zone works:

; <<>> DiG 9.8.0-P4 <<>> @127.0.0.1 chasew8s1.corp.chaseprod.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7529
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 3

;; QUESTION SECTION:
;chasew8s1.corp.chaseprod.local.	IN	A

;; ANSWER SECTION:
chasew8s1.corp.chaseprod.local.	2599 IN	A	10.0.102.10
chasew8s1.corp.chaseprod.local.	2599 IN	A	10.0.100.205

;; AUTHORITY SECTION:
.			517399	IN	NS	l.root-servers.net.
.			517399	IN	NS	d.root-servers.net.
.			517399	IN	NS	k.root-servers.net.
.			517399	IN	NS	i.root-servers.net.
.			517399	IN	NS	a.root-servers.net.
.			517399	IN	NS	g.root-servers.net.
.			517399	IN	NS	m.root-servers.net.
.			517399	IN	NS	b.root-servers.net.
.			517399	IN	NS	j.root-servers.net.
.			517399	IN	NS	f.root-servers.net.
.			517399	IN	NS	h.root-servers.net.
.			517399	IN	NS	e.root-servers.net.
.			517399	IN	NS	c.root-servers.net.

;; ADDITIONAL SECTION:
j.root-servers.net.	604029	IN	AAAA	2001:503:c27::2:30
l.root-servers.net.	604031	IN	A	199.7.83.42
m.root-servers.net.	604061	IN	A	202.12.27.33

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep  6 08:42:47 2011
;; MSG SIZE  rcvd: 351

Is this a bug or am I doing something wrong?

Thanks,
Lyle Giese
LCR Computer Services, Inc.