DNSEC and Bin 9.12
Alan Clegg
alan at clegg.com
Sat Jan 26 19:55:18 UTC 2019
On 1/26/19 2:30 PM, @lbutlr wrote:
> On 26 Jan 2019, at 12:20, @lbutlr <kremels at kreme.com> wrote:
>> I then removed "auto-dnssec maintain" and "inline-signing yes" from the zone record in name.conf and now everything is behaving as expected when I query localhost for the DNSSEC info.
>
> I should have said, I have update-policy local; in the zone record, but if I add "inline-signing yes;" and/or "auto-dnssec allow;" then the query fails.
I have the following snippet in my named.conf and it works great:
zone "boat" {
type master;
file "zone/boat";
update-policy local;
auto-dnssec maintain;
notify no;
};
This is a "fake TLD" for "boat" that I maintain locally (on my boat).
It is DNSSEC signed, updates signatures automatically (as needed) and is
able to be updated locally (nsupdate -l).
I created the keys using something along the lines of:
root at svlg-gateway:~# dnssec-keygen -a rsasha256 boat
Generating key pair...........+++++ ......+++++
Kboat.+008+41586
root at svlg-gateway:~# dnssec-keygen -f k -a rsasha256 boat
Generating key
pair........................................................+++++
.............................................+++++
then, making sure that the keys were in the directory specified by
key-directory option, I did an "rndc loadkeys".
With the appropriate trust anchors in place, data in the zone validates.
Does this help at all? If not, can you be a bit more detailed in the
problem you are trying to solve?
AlanC
More information about the bind-users
mailing list