Hello!
I run a server with Bind9.18 on Alma9.
It acts as the nameserver for two domains. (with glue records from the
registrar).
DNSSEC is enabled but somehow outbound queries are not validated?
Domains with dnssec do have the "ad" flag though. The local domains somehow
dont have the ad flag.
example:
dig www.dnssec-failed.org +dnssec @localhost
; <<>> DiG 9.18.29 <<>> www.dnssec-failed.org +dnssec @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54441
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: ab33b7cb2be017660100000068434ae5a046bf6060941c68 (good)
;; QUESTION SECTION:
;www.dnssec-failed.org. IN A
;; ANSWER SECTION:
www.dnssec-failed.org. 6086 IN A 68.87.109.242
www.dnssec-failed.org. 6086 IN A 69.252.193.191
www.dnssec-failed.org. 6086 IN RRSIG A 5 3 7200 20250621145120
20250604144620 44973 dnssec-failed.org.
6aHzJob+AUdBOyR9aErfXgtSnfE/gdQhiz1wdoZJD0lLZwhOhcD2OjA0
ct6vQjUWkQtu6SGVhKvvNsWtI6KqFLdBUc3QbnlsO3/tDk3/Powl7gdV
CRqnj7Ridxjwyk5xYPurcZA/6dJK48uAFZsR5hlLCxcZN9vplBhlU6jz +9w=
I believe the answer should be SERVFAIL?
This is my config, I have tried with "auto" and "yes".
options {
listen-on port 53 {
any;
};
listen-on-v6 port 53 {
any;
};
listen-on port 853 tls local-tls {
any;
};
listen-on-v6 port 853 tls local-tls {
any;
};
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable
access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-validation auto;
managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
zone "vom-bruch.com" {
type master;
file "/var/named/vom-bruch.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
};
};
zone "eloi.at" {
type master;
file "/var/named/eloi.at.hosts";
allow-transfer {
127.0.0.1;
localnets;
213.255.218.23;
2a00:98c7:1000:1300:6e4b:90ff:fe57:e7b1;
};
};
tls local-tls {
cert-file "/etc/letsencrypt/live/vom-bruch.com/fullchain.pem";
key-file "/etc/letsencrypt/live/vom-bruch.com/privkey.pem";
dhparam-file "/var/cache/bind/dhparam.pem";
protocols { TLSv1.2; TLSv1.3; };
ciphers
"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256";
prefer-server-ciphers yes;
session-tickets no;
};
statistics-channels { inet 127.0.0.1 port 8053 ; };
Any ideas?
Thanks,
Luca
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
