trying DNSSEC with 9.9-rc1

[Spain, Dr. Jeffry A.]

> Any suggestions, folks? What am I not understanding?

Michael: To determine why there is no DNSSEC information being returned by your dig query, consider the following:

What are the timestamps in your key metadata? Are they currently published and active?
nstest/etc/namedb/keys;dnssec-settime -p all Ktransnetworks.net.+005+54607.private

What are the file modes and ownership of your keys? Can named running under whatever UID it is using read the keys?

What are the full contents of your unsigned and signed zone files? Any clues there?
nstest/etc/namedb/keys;named-checkzone -j -o - transnetworks.net transnetworks.net
nstest/etc/namedb/keys;named-checkzone -j -f raw -o - transnetworks.net transnetworks.net.signed

Are there syslog messages that indicate any problems signing your zone?
nstest/etc/namedb/keys;cat /var/log/syslog | grep named

Ultimately with dnssec-dsfromkey, you may wish to leave out "-2" and generate both SHA-1 and SHA-256 digests. Depending on your registrar, they may accept one, the other, or both. The DS record submission is usually done on your registrar's web site.

With dnssec-keygen, I used "-b 2048". I don't think there is a compelling argument for using a shorter key.

Note that dig +dnssec queries targeted at your authoritative server will ultimately return DNSSEC records but will never return an AD flag. Eventually you will want to see the AD flag to know that all is well with the chain of trust though "net." up to the DNS root zone, and for this you will need a DNSSEC-enabled recursive resolver. You can use DNS-OARC's open validating resolver to test: https://www.dns-oarc.net/oarc/services/odvr. You can fairly easily set up another bind server as a recursive resolver for your own use as well. Two other good tests for your DNSSEC-enabled zones are at http://dnsviz.net/ and http://dnssec-debugger.verisignlabs.com/.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School