DNSSEC: validation with "dnssec-must-be-secure" AND "dnssec-lookaside" fails
Robert Senger
rs-isc at microscopium.de
Thu Feb 26 20:30:18 UTC 2015
Hi all,
I am struggling with weird behaviour of bind9 acting as authenticating
resolver, when querying DNSSEC enabled domains that are using DLV. My
registrar is still unable to sign DS records.
Everything works fine if only "dnssec-lookaside auto" option is set in
the resolver's named.conf.options file. When running "dig +dnssec
domain.tld", I get a correct answer with the "ad" flag set.
But after enabling "dnssec-must-be-secure domain.tld", the lookup fails
with lots of error messages in the log saying DNSKEY lookup failed for
domain.tld.
Then I added the domain.tld's key (the KSK) into the named.conf.options
file, in a "trusted-keys" section. Then, the lookups succeed again, with
"ad" flag set.
I wonder what happens here.
Can it be the case, that DLV generally works, but not for domains listed
in "dnssec-must-be-secure" statements?
I am running bind 9.8.4 on Debian.
Cheers,
Robert
--
Robert Senger <robert.senger at microscopium.de>
PGP/GPG Public Key ID: 24E78B5E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150226/f61eb9b9/attachment.bin>
More information about the bind-users
mailing list