> > Yes, I agree freebsd.org is insecure, but I still want to be able to > > resolve it :-) > > The point was, you should not be getting DNSSEC-related errors from > a domain that is not secured.
I disagree. In order for a validating resolver to resolve freebsd.org (or any other insecure domain under .org) BIND still needs to verify the RRSIG on the covering NSEC for freebsd.org.dlv.isc.org to prove that freebsd.org doesn't have a DLV record. It has to verify the RRSIG on the DLV record for org.dlv.isc.org, and check that the hash in the DLV record matches the DNSKEY record of the KSK at .org. It has to check that the RRSIG on the DNSKEY RRset is correctly signed with the KSK, and then it has to check that the RRSIG on the NSEC3 opt-out record that covers freebsd.org is correctly signed with the ZSK. Only after doing all this does it know that freebsd.org is really, legitimately, an insecure zone. If any of these steps fail, the resolver should give an error, unless the CD bit is set on the query. > As requested, please supply configuration information... without > that, it's unlikely anyone is going to be able to help you. Matt It's pretty basic. Here's the substantive config - I've omited some TSIG keys and a bunch of zones the server is authoritative for: -------------------- logging { channel dnssec_log { file "logs/dnssec.log" versions 2 size 2m; print-time yes; print-category yes; print-severity yes; severity debug 9; }; category dnssec { dnssec_log; }; }; options { directory "/etc/namedb"; pid-file "/var/run/named/pid"; dump-file "/var/dump/named_dump.db"; statistics-file "/var/stats/named.stats"; listen-on { any; }; listen-on port 5353 { any; }; listen-on-v6 { any; }; allow-recursion { any; }; dnssec-lookaside auto; }; include "/etc/namedb/rndc.key"; controls { inet 127.0.0.1 allow { localhost; } keys { rndc-key; }; }; zone "." { type hint; file "named.root"; }; zone "0.0.127.IN-ADDR.ARPA" { type master; file "master/localhost.rev"; }; // RFC 3152 zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" { type master; file "master/localhost-v6.rev"; }; zone "google.com" { type forward; forwarders { 74.82.42.42; }; }; zone "google.co.uk" { type forward; forwarders { 74.82.42.42; }; }; _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users