Issue with DNSSEC (BIND 9.10.3-P4-Raspbian <id:ebd72b3>)
Tony Finch
dot at dotat.at
Mon Oct 2 16:14:09 UTC 2017
Dirk Gottschalk via bind-users <bind-users at lists.isc.org> wrote:
>
> The bind.keys file is available and I set dnssec-validation and dnssex-
> lookaside to auto.
That should work - however you should omit dnssec-lookaside since it does
not do anything any more. I also prefer not to have a bind.keys file and
instead I rely on the compiled-in keys, because that's one less thing to
keep up-to-date.
> But every time I try to resolve a Name (denic.de for example) I get a
> SERVFAIL with dig. Turning the above options off and usiung dif with
> +dnssec option I can see RRSIG for the Domain and for the root server.
That's a bit puzzling.
> 30-Sep-2017 01:26:50.534 dnssec: validating ./NS: attempting insecurity proof
> 30-Sep-2017 01:26:50.534 dnssec: validating ./NS: insecurity proof failed
> 30-Sep-2017 01:26:50.534 dnssec: validating ./NS: got insecure response; parent indicates it should be secure
I think these log lines suggest that something is stripping DNSSEC records
somewhere, and there are similarly suspicious lines later in the log.
To get more information, try running:
$ delv +vtrace www.denic.de
which will give you slightly more debugging options than fiddling with
`named`. You can get a trace of response messages using +mtrace, or you
can point `delv` at a different server using @8.8.8.8 etc.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
Biscay: Southwest veering northeast, 4 or 5. Moderate or rough. Occasional
rain. Moderate, occasionally poor.
More information about the bind-users
mailing list