dnssec validation issue
Carl Byington
carl at byington.org
Fri Jun 19 00:35:01 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have multiple centos6 boxes running 9.10.2-P1, and almost everything
looks good. However, one box seems to not be doing dnssec validation. It
is possible that this behavior predates the latest updates and I just
never noticed it.
A and B have essentially identical configuration, except that A is the
master for some zones, and B is the slave pulling from A. Other than
that, the /etc/named.conf is identical. A also has ipv6 connectivity,
and B does not. The authoritative side works nicely on both. The
recursive resolver is where the difference shows up.
On A:
dig www.dnssec-failed.org @localhost
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19813
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 11
;; ANSWER SECTION:
www.dnssec-failed.org. 7178 IN A 68.87.109.242
www.dnssec-failed.org. 7178 IN A 69.252.193.191
On B:
dig www.dnssec-failed.org @localhost
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4969
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
/etc/named.conf:
options {
directory "/var/named";
allow-recursion { "friends"; };
dnssec-enable yes;
dnssec-validation yes;
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
listen-on-v6 {any;};
ixfr-from-differences yes;
max-journal-size 2m;
notify yes;
response-policy { zone "rpz.five-ten-sg.com";}
qname-wait-recurse no;
filter-aaaa-on-v4 yes;
filter-aaaa { "brokenv6"; };
rate-limit {
responses-per-second 5;
errors-per-second 5;
nxdomains-per-second 40;
qps-scale 300;
exempt-clients { "friends"; };
};
};
A is neither master nor slave for dnssec-failed.org, and that domain is
not mentioned in the rpz zone.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEARECAAYFAlWDYtAACgkQL6j7milTFsHClQCeLKkTuQYlM4liB0UECG5Z4pui
ujMAnj4wnUWqJj258pIlUFo0IONtkkEP
=/QDW
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list