Bug in Bind 9.8 or am I doing something wrong?

[Lyle Giese]

I was following Mark Andrew's discussion with a user about DNSSEC and 
played with it here and found an issue.  Not sure if I am doing 
something wrong or if there is a bug somewhere.

We have a Windows AD domain and use Bind 9.8 on our Linux servers for 
most DNS resolution.  In order to politely setup things, I forwarded the 
queries for AD zones to the Windows server:

zone "chaseprod.local"{
        type forward;
        forwarders {10.0.100.205;};};

This seemed to work until I added some stuff for DNSSEC to my named.conf.

In the global option section, I have:

        dnssec-enable yes;
        dnssec-validation auto;
        dnssec-lookaside auto;

And as a general option, I added:

include "/etc/bind.keys";

Under Bind 9.8.0-P4 and Bind 9.8.1 (compiled from source with no special 
options under SLES 10), resolution of a valid record in the forwarded 
zone fails when I added the above dnssec options:


; <<>> DiG 9.8.0-P4 <<>> @127.0.0.1 chasew8s1.corp.chaseprod.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58140
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;chasew8s1.corp.chaseprod.local.        IN      A

;; AUTHORITY SECTION:
.			10794	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2011090600 
1800 900 604800 86400

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep  6 08:43:25 2011
;; MSG SIZE  rcvd: 123

If I comment out dnssec-validation auto and the include for bind.keys, 
the resolution for the forwarded zone works:


; <<>> DiG 9.8.0-P4 <<>> @127.0.0.1 chasew8s1.corp.chaseprod.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7529
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 3

;; QUESTION SECTION:
;chasew8s1.corp.chaseprod.local.        IN      A

;; ANSWER SECTION:
chasew8s1.corp.chaseprod.local. 2599 IN A       10.0.102.10
chasew8s1.corp.chaseprod.local. 2599 IN A       10.0.100.205

;; AUTHORITY SECTION:
.                       517399  IN      NS      l.root-servers.net.
.                       517399  IN      NS      d.root-servers.net.
.                       517399  IN      NS      k.root-servers.net.
.                       517399  IN      NS      i.root-servers.net.
.                       517399  IN      NS      a.root-servers.net.
.                       517399  IN      NS      g.root-servers.net.
.                       517399  IN      NS      m.root-servers.net.
.                       517399  IN      NS      b.root-servers.net.
.                       517399  IN      NS      j.root-servers.net.
.                       517399  IN      NS      f.root-servers.net.
.                       517399  IN      NS      h.root-servers.net.
.                       517399  IN      NS      e.root-servers.net.
.                       517399  IN      NS      c.root-servers.net.

;; ADDITIONAL SECTION:
j.root-servers.net.     604029  IN      AAAA    2001:503:c27::2:30
l.root-servers.net.     604031  IN      A       199.7.83.42
m.root-servers.net.     604061  IN      A       202.12.27.33

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep  6 08:42:47 2011
;; MSG SIZE  rcvd: 351

Is this a bug or am I doing something wrong?

Thanks,
Lyle Giese
LCR Computer Services, Inc.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users