Issue with DNSSEC (BIND 9.10.3-P4-Raspbian <id:ebd72b3>)

[Tony Finch]

Dirk Gottschalk via bind-users <bind-users at lists.isc.org> wrote:
>
> The bind.keys file is available and I set dnssec-validation and dnssex-
> lookaside to auto.

That should work - however you should omit dnssec-lookaside since it does
not do anything any more. I also prefer not to have a bind.keys file and
instead I rely on the compiled-in keys, because that's one less thing to
keep up-to-date.

> But every time I try to resolve a Name (denic.de for example) I get a
> SERVFAIL with dig. Turning the above options off and usiung dif with
> +dnssec option I can see RRSIG for the Domain and for the root server.

That's a bit puzzling.

> 30-Sep-2017 01:26:50.534 dnssec: validating ./NS: attempting insecurity proof
> 30-Sep-2017 01:26:50.534 dnssec: validating ./NS: insecurity proof failed
> 30-Sep-2017 01:26:50.534 dnssec: validating ./NS: got insecure response; parent indicates it should be secure

I think these log lines suggest that something is stripping DNSSEC records
somewhere, and there are similarly suspicious lines later in the log.

To get more information, try running:

$ delv +vtrace www.denic.de

which will give you slightly more debugging options than fiddling with
`named`. You can get a trace of response messages using +mtrace, or you
can point `delv` at a different server using @8.8.8.8 etc.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Biscay: Southwest veering northeast, 4 or 5. Moderate or rough. Occasional
rain. Moderate, occasionally poor.