Question about missing bind.keys
Evan Hunt
each at isc.org
Thu Apr 14 01:20:27 UTC 2022
On Tue, Apr 12, 2022 at 09:37:22PM -0400, J Doe wrote:
> Apologies for my late reply. Thank you so much for the detailed
> explanation of: dnssec-validation auto and what happens when: bind.keys
> doesn't exist.
>
> With this setting in place in my: named.conf I then restarted BIND, gave
> it a second to pull the trust information and then used: delv to test
> verification.
>
> The first test for unverified/unsigned was:
>
> $ delv google.com
> ; unsigned answer
> . . .
>
> ... and the second test for verified/signed was:
>
> $ delv ietf.org
> ; fully validated
> . . .
>
> ... which wouldn't have worked if: dnssec-validation auto failed in
> getting the same information as: bind.keys
"delv" isn't actually the right tool for this job - it does its own
internal validation, regardless of whether the name server it's querying
is doing validation correctly or not.
Instead, use "dig" to query your name server and look for the "ad" bit
(Authenticated Data) in the reponse:
$ dig @localhost unsigned.com | grep flags
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
$ dig @localhost ietf.org | grep flags
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
^^
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list