RE: BIND 9.6.2-P2 is now available.
I have a question about the bug that this patch fixes. --- 9.6.2-P2 released --- 2876. [bug] Named could return SERVFAIL for negative responses from unsigned zones. [RT #21131] Does this bug only occur if dnssec is enabled? or only if dnssec validation is turned on? or will it (potentially) occur regardless of whether or not either of these options are used? Thank you -- jack ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Authoritative Redundancy
If your primary master goes down, and you want to ensure that all of your slaves get the *latest*available*version* of the zone, and serves it until the master comes back up, then you would cross-connect all of your slaves so that eventually they'll all sync up to that version. *HOWEVER*, because of protocol limitations, this will essentially break zone expiration. If you delete a zone on the master, in other words, and forget to delete the definition on 2 or more slaves, then they'll keep refreshing from each other indefinitely, since the refresh timer gets reset even if nothing changes in the zone. The zone is immortal on those slaves, and manual intervention will be necessary to get rid of it. A protocol fix for this was floated to the IETF Working Group, but not enough interest was generated to make any kind of change. If your configuration-control system reliably deletes all slave-zone definitions, then maybe this is a non-issue for you. - Kevin On 5/20/2010 12:08 AM, Baird, Josh wrote: Would there be any benefit in assigning them as additional master's for all of my zones (in addition to DNS01), or would this just complicate the entire environment? Thanks In article mailman.1534.1274300384.21153.bind-us...@lists.isc.org, Baird, Josh jba...@follett.com wrote: Hi, I currently have three authoritative servers in the RRset for my internal zones: NS dns01.blah.com. NS dns02.blah.com. NS dns03.blah.com. DNS01 is the sole master for my internal zones. I have a number of resolving DNS servers throughout my environment that contain slave definitions for my internal zones to override recursion. These slave definitions use DNS01 as their master (only DNS01, not DNS02/03). zone example.com. IN { type slave; masters { DNS01's_IP_ADDRESS; }; file hosts/slaves/example.com-hosts; }; DNS02 and DNS03 also contain slave zones for all of my internal zones. Their master is also DNS01. My question is.. am I gaining anything by having DNS02/DNS03? With DNS01 being my sole master, it doesn't seem like DNS02/DNS03 are providing any additional benefit. How could I make a better use of DNS02/DNS03? Recursion is disabled on them, and no clients directly query them; they query the numerous resolving DNS servers throughout the environment. I think you can safely get rid of them. With all your internal resolvers running as stealth slaves for your zones, you don't need published slaves. NS records are only used by recursive servers. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Dnssec zone signing problem
Hi, I am having a dnssec problem while signing zone: # dnssec-signzone -N INCREMENT mydomain.org Verifying the zone using the following algorithms: RSASHA1. Missing RSASHA1 signature for . NSEC The zone is not fully signed for the following algorithms: RSASHA1. dnssec-signzone: fatal: DNSSEC completeness test failed. What could be wrong I have followed these steps: OS = centos 5.4 with bind-9.6.2-3.P1 http://jason.roysdon.net/2009/10/16/building-bind-9-6-on-rhel5-centos5-for-dnssec-nsec3-support/ dnssec-keygen -a RSASHA1 -b 1024 -n ZONE mydomain.org dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE mydomain.org cat Kmydomain.org.+005+*.key mydomain.org dnssec-signzone -N INCREMENT mydomain.org Under options in named.conf dnssec-enable yes; dnssec-validation yes; // dnssec-lookaside . trust-anchor DLV.ISC.ORG; With the trust-anchor uncommented, as soon as i enable and reload bind, dig gives timeout, while dig has no issues with first two commands enabled. #more /etc/sysconfig/dnssec DNSSEC=on DLV=dlv.isc.org Thanks -dani ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dnssec zone signing problem
On Thu, May 20, 2010 at 12:10:53PM -0700, itservices88 itservice...@gmail.com wrote a message of 92 lines which said: # dnssec-signzone -N INCREMENT mydomain.org Verifying the zone using the following algorithms: RSASHA1. Missing RSASHA1 signature for . NSEC The zone is not fully signed for the following algorithms: RSASHA1. dnssec-signzone: fatal: DNSSEC completeness test failed. I do not find these error messages in BIND source code. Are you sure you use the pristine dnssec-signzone and not, say, a local custom script? (dnssec-signzone is supposed to sign the zone, not to check that it is signed.) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dnssec zone signing problem
On 05/20/2010 09:10 PM, itservices88 wrote: Verifying the zone using the following algorithms: RSASHA1. Missing RSASHA1 signature for . NSEC You seem to have a record for . somewhere in your zone file. Did you load the unsigned zone into BIND before? It should have logged a warning about that record. dnssec-enable yes; dnssec-validation yes; // dnssec-lookaside . trust-anchor DLV.ISC.ORG; With the trust-anchor uncommented, as soon as i enable and reload bind, dig gives timeout, while dig has no issues with first two commands enabled. Do you have a firewall in the path that would block large DNS responses or fragments? Hauke. signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dnssec zone signing problem
On 5/20/2010 12:51 PM, Hauke Lampe wrote: Did you load the unsigned zone into BIND before? It should have logged a warning about that record. named-checkzone would be useful here as well. hth, Doug -- ... and that's just a little bit of history repeating. -- Propellerheads Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dnssec zone signing problem
No local script. I am using snssec-signzone that cam with the installation: # dnssec-signzone --help Version: 9.6.2-P1-RedHat-9.6.2-3.P1 On Thu, May 20, 2010 at 12:26 PM, Stephane Bortzmeyer bortzme...@nic.frwrote: On Thu, May 20, 2010 at 12:10:53PM -0700, itservices88 itservice...@gmail.com wrote a message of 92 lines which said: # dnssec-signzone -N INCREMENT mydomain.org Verifying the zone using the following algorithms: RSASHA1. Missing RSASHA1 signature for . NSEC The zone is not fully signed for the following algorithms: RSASHA1. dnssec-signzone: fatal: DNSSEC completeness test failed. I do not find these error messages in BIND source code. Are you sure you use the pristine dnssec-signzone and not, say, a local custom script? (dnssec-signzone is supposed to sign the zone, not to check that it is signed.) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dnssec zone signing problem
On Thu, May 20, 2010 at 12:51 PM, Hauke Lampe list+bindus...@hauke-lampe.delist%2bbindus...@hauke-lampe.de wrote: On 05/20/2010 09:10 PM, itservices88 wrote: Verifying the zone using the following algorithms: RSASHA1. Missing RSASHA1 signature for . NSEC You seem to have a record for . somewhere in your zone file. In named.conf, i have this entry, zone . { type hint; file named.ca; }; egrep ^\. mydomain.org it gives nothing. Did you load the unsigned zone into BIND before? It should have logged a warning about that record. dnssec-enable yes; dnssec-validation yes; // dnssec-lookaside . trust-anchor DLV.ISC.ORGhttp://dlv.isc.org/ ; With the trust-anchor uncommented, as soon as i enable and reload bind, dig gives timeout, while dig has no issues with first two commands enabled. Do you have a firewall in the path that would block large DNS responses or fragments? Just the local iptables on the linux server. No other firewall. Hauke. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dnssec zone signing problem
#named-checkconf -t /var/named/chroot /etc/named.conf # # named-checkzone -t /var/named/chroot mydomain.org /etc/named-data/ mydomain.org zone mydomain.org/IN: loaded serial 2010141144 OK No error in both of the commands. I am missing something else may be. Thanks On Thu, May 20, 2010 at 1:04 PM, Doug Barton do...@dougbarton.us wrote: On 5/20/2010 12:51 PM, Hauke Lampe wrote: Did you load the unsigned zone into BIND before? It should have logged a warning about that record. named-checkzone would be useful here as well. hth, Doug -- ... and that's just a little bit of history repeating. -- Propellerheads Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/http://supersetsolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Web forwarding in BIND
I'm new to this list but have been having trouble looking for information on this topic. A pointer please to information on how to use BIND to translate a domain name to a target URL. For example, www.domain - http://www.someother.domain/folder1/folder2/index.html. Thanks in advance. - Hoover Chanhc...@mail.ewind.com -or- hc...@well.com Eastwind Associates P.O. Box 16646 voice: 415-731-6019 -or- 415-565-8936 San Francisco, CA 94116 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Web forwarding in BIND
On Thu, May 20, 2010 at 5:18 PM, Hoover Chan hc...@mail.ewind.com wrote: I'm new to this list but have been having trouble looking for information on this topic. A pointer please to information on how to use BIND to translate a domain name to a target URL. For example, www.domain - http://www.someother.domain/folder1/folder2/index.html. You'll have better luck looking for information on how to spin straw into gold. What you want will need to be handled within the webserver itself. -B ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Web forwarding in BIND
Heh, thanks for the humor. I'm used to having control over both Web server and DNS server and the way I normally handle these things is via an Apache virtual host configuration. However, I'm under pressure to lose control of DNS and hand it over to a company like Go Daddy or Network Solutions where you can pay to have a domain name point to a specific URL. Maybe this question should change to learning how these companies do that sort of thing. - Hoover Chanhc...@mail.ewind.com -or- hc...@well.com Eastwind Associates P.O. Box 16646 voice: 415-731-6019 -or- 415-565-8936 San Francisco, CA 94116 - Bryan Irvine sparcta...@gmail.com wrote: On Thu, May 20, 2010 at 5:18 PM, Hoover Chan hc...@mail.ewind.com wrote: I'm new to this list but have been having trouble looking for information on this topic. A pointer please to information on how to use BIND to translate a domain name to a target URL. For example, www.domain - http://www.someother.domain/folder1/folder2/index.html. You'll have better luck looking for information on how to spin straw into gold. What you want will need to be handled within the webserver itself. -B ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Web forwarding in BIND
Hoover Chan wrote: I'm new to this list but have been having trouble looking for information on this topic. A pointer please to information on how to use BIND to translate a domain name to a target URL. For example, www.domain - http://www.someother.domain/folder1/folder2/index.html. Thanks in advance. You need to use Apache rewrite engine. See: http://www.addedbytes.com/for-beginners/url-rewriting-for-beginners/ for a simple intro. Do not worry about the flack you will get, this is a typical DNS beginners/web master confusion. - Hoover Chanhc...@mail.ewind.com -or- hc...@well.com Eastwind Associates P.O. Box 16646 voice: 415-731-6019 -or- 415-565-8936 San Francisco, CA 94116 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dnssec dlv
Hi, Whenever i enable: dnssec-lookaside . trust-anchor DLV.ISC.ORG; in the named.conf, restart bind, the dns resolution stops. One the same FC12 machine, dig using an outside dns server has no issues resolving with +dnssec option. I am using bind 9.6.2 that came with FC12. Any thoughts ? -dani ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec dlv
In message aanlktikyznh9_cgpb2efye_-yuu4n3bs75fwzp-jz...@mail.gmail.com, itse rvices88 writes: Hi, Whenever i enable: dnssec-lookaside . trust-anchor DLV.ISC.ORG; in the named.conf, restart bind, the dns resolution stops. One the same FC12 machine, dig using an outside dns server has no issues resolving with +dnssec option. I am using bind 9.6.2 that came with FC12. Any thoughts ? -dani Have you added the trusted-keys clause for dlv.isc.org? trusted-keys { dlv.isc.org. 257 3 5 BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh; }; Does dig +cd +dnssec dlv.isc.org dnskey return RRSIGS. e.g. ; DiG 9.3.6-P1 +cd +dnssec dlv.isc.org dnskey ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 14675 ;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dlv.isc.org. IN DNSKEY ;; ANSWER SECTION: dlv.isc.org.2077IN DNSKEY 256 3 5 BEOlYGw53D+f01yCL5JsP0SB6EjYrnd0JYRBooAaGPT+Q0kpiN+7 GviFh+nIazoB8e2Yv7mupgqkmIjObdcbGstYpUltdECdNpNmBvASKB9S BdtGeRvXXpORi3Qyxb9kHGG7SpzyYbc+KDVKnzYHB94pvqu3ZZpPFPBF tCibp/mkhw== dlv.isc.org.2077IN DNSKEY 257 3 5 BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh dlv.isc.org.2077IN RRSIG DNSKEY 5 3 7200 20100619164502 20100520164502 19297 dlv.isc.org. OKURcBkX5iiDC1q87HsSs2xDcDrMm5aPAlYHkPqkHCy7UyTOnCr6cwwN W42mdG4nmpURR4aDGiPlfc1lomE5kA5wOcXASgfMO8eQoOOIyZcBngOb WaE0KY+e/xU37kf7Ms7g6UxTnL+hcjbYgZf2rwN7J1RXf0Z5PfyyASXi ybf3iYGs7GusXgLZ0ZEWQh0zglo2ym56CVt2TbIljJFB0lzAvezos36R SWAYfLLsfGp3v9WfG7e3D8nLvbq5D7+K3IciELr73TVly924uwfAQeEa df40dVR6qyQ++/HWaGr1wOIGLQBRzTX8gKK9RlmcHHcIZo0EFPJo0mf7 Abqpxw== dlv.isc.org.2077IN RRSIG DNSKEY 5 3 7200 20100619164502 20100520164502 64263 dlv.isc.org. LZd6TanU48C2BNKZhuj4vMyquNE9mnbUmk9Zy+NbIKPmJ+h2uLq2EonO GfUkxku7ZPky9DnJ3O05gwcEbVrFDjqtK+hcweu7x+wu0OaXJNsVRJ69 wQpQEkVNgoPNYsHQ6ru65ZwmOm8yRvr/1lXhbJId6j0Y2QZVXvCzVGuA 58Q= ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri May 21 11:45:00 2010 ;; MSG SIZE rcvd: 936 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Understanding Total QPS from named stats
Hi Bind Users, Good day. I wish to know what is the industry standard when dealing with the TOTAL QPS and how do we calculate this with BIND? My understanding of QPS is the queries that a DNS server has received regardless if it was dealt with a successful response, nxdomain or timed-out due to lame. But is there a best practice in calculating it from the named stats? Can the dynamic updates, notify and such be considered as queries? There are several monitoring systems, load balancers and the like that monitors Total QPS from a DNS server registered in the system. I wish to create an in-house script to calculate the same way. I got a two instances (with 1 minute differential) sampling of rndc stats of two DNS caching servers. Thank you. The first take showed the following ++ Name Server Statistics ++ 5818360608 IPv4 requests received 4463 IPv6 requests received 16627 requests with EDNS(0) received 213523 TCP requests received 709406 auth queries rejected 10280592 recursive queries rejected 10 update requests rejected 5700295060 responses sent 1165166 truncated responses sent 16627 responses with EDNS(0) sent 4692675534 queries resulted in successful answer 137516372 queries resulted in authoritative answer 5469041736 queries resulted in non authoritative answer 339189 queries resulted in referral answer 199466607 queries resulted in nxrrset 77252124 queries resulted in SERVFAIL 714076778 queries resulted in NXDOMAIN 980927690 queries caused recursion 86311171 duplicate queries received 31745639 queries dropped 10990123 other query failures a minute later... ++ Name Server Statistics ++ 5817893991 IPv4 requests received 4463 IPv6 requests received 16627 requests with EDNS(0) received 213516 TCP requests received 708839 auth queries rejected 10279493 recursive queries rejected 10 update requests rejected 5699834173 responses sent 1165099 truncated responses sent 16627 responses with EDNS(0) sent 4692279730 queries resulted in successful answer 137507789 queries resulted in authoritative answer 5468595382 queries resulted in non authoritative answer 339185 queries resulted in referral answer 199450131 queries resulted in nxrrset 77248026 queries resulted in SERVFAIL 714034125 queries resulted in NXDOMAIN 980871535 queries caused recursion 86305506 duplicate queries received 31745639 queries dropped 10988457 other query failures ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dnssec zone signing problem
In message 20100520192619.ga27...@laperouse.bortzmeyer.org, Stephane Bortzmey er writes: On Thu, May 20, 2010 at 12:10:53PM -0700, itservices88 itservice...@gmail.com wrote a message of 92 lines which said: # dnssec-signzone -N INCREMENT mydomain.org Verifying the zone using the following algorithms: RSASHA1. Missing RSASHA1 signature for . NSEC The zone is not fully signed for the following algorithms: RSASHA1. dnssec-signzone: fatal: DNSSEC completeness test failed. I do not find these error messages in BIND source code. Are you sure you use the pristine dnssec-signzone and not, say, a local custom script? The message is there. fprintf(stderr, Missing %s signature for %s %s\n, algbuf, namebuf, typebuf); (dnssec-signzone is supposed to sign the zone, not to check that it is signed.) There are lots of ways to use dnssec-signzone to sign a zone such that you can't validate it. You can also disable the checks is you need to take the zone though such a state. It's on by default so it becomes hard to shoot yourself in the foot. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dnssec zone signing problem
In message aanlktil_-lds5t6svsfgp6u_9atklov2xfowyoovs...@mail.gmail.com, itse rvices88 writes: Hi, I am having a dnssec problem while signing zone: # dnssec-signzone -N INCREMENT mydomain.org Verifying the zone using the following algorithms: RSASHA1. Missing RSASHA1 signature for . NSEC The zone is not fully signed for the following algorithms: RSASHA1. dnssec-signzone: fatal: DNSSEC completeness test failed. What could be wrong I have followed these steps: OS = centos 5.4 with bind-9.6.2-3.P1 http://jason.roysdon.net/2009/10/16/building-bind-9-6-on-rhel5-centos5-for-dn ssec-nsec3-support/ dnssec-keygen -a RSASHA1 -b 1024 -n ZONE mydomain.org dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE mydomain.org cat Kmydomain.org.+005+*.key mydomain.org dnssec-signzone -N INCREMENT mydomain.org I suspect we will need to see the zone and the K* files. Open a bug report with bind9-b...@isc.org and send the files to see if we can reproduce it. Under options in named.conf named.conf will have no effect on this. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Web forwarding in BIND
On May 20, 2010, at 8:34 PM, Hoover Chan wrote: Heh, thanks for the humor. I'm used to having control over both Web server and DNS server and the way I normally handle these things is via an Apache virtual host configuration. However, I'm under pressure to lose control of DNS and hand it over to a company like Go Daddy or Network Solutions where you can pay to have a domain name point to a specific URL. Maybe this question should change to learning how these companies do that sort of thing. They provide one or more A records pointing to their own web server. That web server then issues an HTTP redirect. Chris Buxton BlueCat Networks ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dnssec zone signing problem
Ok. I will open a bug. Thanks -dani On Thu, May 20, 2010 at 8:10 PM, Mark Andrews ma...@isc.org wrote: In message aanlktil_-lds5t6svsfgp6u_9atklov2xfowyoovs...@mail.gmail.com, itse rvices88 writes: Hi, I am having a dnssec problem while signing zone: # dnssec-signzone -N INCREMENT mydomain.org Verifying the zone using the following algorithms: RSASHA1. Missing RSASHA1 signature for . NSEC The zone is not fully signed for the following algorithms: RSASHA1. dnssec-signzone: fatal: DNSSEC completeness test failed. What could be wrong I have followed these steps: OS = centos 5.4 with bind-9.6.2-3.P1 http://jason.roysdon.net/2009/10/16/building-bind-9-6-on-rhel5-centos5-for-dn ssec-nsec3-support/ dnssec-keygen -a RSASHA1 -b 1024 -n ZONE mydomain.org dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE mydomain.org cat Kmydomain.org.+005+*.key mydomain.org dnssec-signzone -N INCREMENT mydomain.org I suspect we will need to see the zone and the K* files. Open a bug report with bind9-b...@isc.org and send the files to see if we can reproduce it. Under options in named.conf named.conf will have no effect on this. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec dlv
I missed the trusted key .. Thanks Here is the other output # dig +cd +dnssec dlv.isc.org dnskey @localhost ; DiG 9.6.2-P1-RedHat-9.6.2-3.P1.fc12 +cd +dnssec dlv.isc.orgdnskey @localhost ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 63788 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dlv.isc.org. IN DNSKEY ;; ANSWER SECTION: dlv.isc.org.6752IN DNSKEY 256 3 5 BEOlYGw53D+f01yCL5JsP0SB6EjYrnd0JYRBooAaGPT+Q0kpiN+7 GviFh+nIazoB8e2Yv7mupgqkmIjObdcbGstYpUltdECdNpNmBvASKB9S BdtGeRvXXpORi3Qyxb9kHGG7SpzyYbc+KDVKnzYHB94pvqu3ZZpPFPBF tCibp/mkhw== dlv.isc.org.6752IN DNSKEY 257 3 5 BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh dlv.isc.org.6752IN RRSIG DNSKEY 5 3 7200 20100620033002 20100521033002 19297 dlv.isc.org. eEHtGjgatqIgxeCCcXJrZpaS5KzlWHbL/uNL9oqd/KnQwyVsqdZKhVR2 U9xcGmtu0GAUTdogSQvhzK92y1qF9FuLlmlBDc9pvLBCf5dc7kIJ61ey vOZi18iZIv9+MyoE2ex/KfAHdHZUp3TUzgen7iGxba/yt9/dcJE6iFhz Kk2FSxxG7PFgHRZZJl9aVxuPlNjCnm1gwnuvdKame73tZrlzAK3GBbTo IEE2QSKs47glxhF5/Xka4UqYZ7wSvuCPG/xFn67FXVOHFQvZjNBxWX3V H1jmoJhyLmpCI4JdwGBr7jwPDURDsL2iAUkfpPIuparlq6DwII3lzrqC gA1M6w== dlv.isc.org.6752IN RRSIG DNSKEY 5 3 7200 20100620033002 20100521033002 64263 dlv.isc.org. TbUCfqArddr/0K7NVhL+UNQuM2dDremcvzLbWz6odZzIwdC/MqHzzAj6 rbgHT+uwGZ6t+4ec5Hts9VWh+BEyx5pi6lnhKJjwcFwrXiBauppce11P uWG3AiJZeiYoCWu2E4CqhpW96ZrycRQYehWfsmDsR1BCglVytxJwYUhT WMg= ;; Query time: 4 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu May 20 21:52:59 2010 ;; MSG SIZE rcvd: 936 On Thu, May 20, 2010 at 6:45 PM, Mark Andrews ma...@isc.org wrote: In message aanlktikyznh9_cgpb2efye_-yuu4n3bs75fwzp-jz...@mail.gmail.com, itse rvices88 writes: Hi, Whenever i enable: dnssec-lookaside . trust-anchor DLV.ISC.ORG http://dlv.isc.org/; in the named.conf, restart bind, the dns resolution stops. One the same FC12 machine, dig using an outside dns server has no issues resolving with +dnssec option. I am using bind 9.6.2 that came with FC12. Any thoughts ? -dani Have you added the trusted-keys clause for dlv.isc.org? trusted-keys { dlv.isc.org. 257 3 5 BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh; }; Does dig +cd +dnssec dlv.isc.org dnskey return RRSIGS. e.g. ; DiG 9.3.6-P1 +cd +dnssec dlv.isc.org dnskey ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 14675 ;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dlv.isc.org. IN DNSKEY ;; ANSWER SECTION: dlv.isc.org.2077IN DNSKEY 256 3 5 BEOlYGw53D+f01yCL5JsP0SB6EjYrnd0JYRBooAaGPT+Q0kpiN+7 GviFh+nIazoB8e2Yv7mupgqkmIjObdcbGstYpUltdECdNpNmBvASKB9S BdtGeRvXXpORi3Qyxb9kHGG7SpzyYbc+KDVKnzYHB94pvqu3ZZpPFPBF tCibp/mkhw== dlv.isc.org.2077IN DNSKEY 257 3 5 BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh dlv.isc.org.2077IN RRSIG DNSKEY 5 3 7200 20100619164502 20100520164502 19297 dlv.isc.org. OKURcBkX5iiDC1q87HsSs2xDcDrMm5aPAlYHkPqkHCy7UyTOnCr6cwwN W42mdG4nmpURR4aDGiPlfc1lomE5kA5wOcXASgfMO8eQoOOIyZcBngOb WaE0KY+e/xU37kf7Ms7g6UxTnL+hcjbYgZf2rwN7J1RXf0Z5PfyyASXi ybf3iYGs7GusXgLZ0ZEWQh0zglo2ym56CVt2TbIljJFB0lzAvezos36R SWAYfLLsfGp3v9WfG7e3D8nLvbq5D7+K3IciELr73TVly924uwfAQeEa df40dVR6qyQ++/HWaGr1wOIGLQBRzTX8gKK9RlmcHHcIZo0EFPJo0mf7 Abqpxw== dlv.isc.org.2077IN RRSIG DNSKEY 5 3 7200 20100619164502 20100520164502 64263 dlv.isc.org. LZd6TanU48C2BNKZhuj4vMyquNE9mnbUmk9Zy+NbIKPmJ+h2uLq2EonO GfUkxku7ZPky9DnJ3O05gwcEbVrFDjqtK+hcweu7x+wu0OaXJNsVRJ69 wQpQEkVNgoPNYsHQ6ru65ZwmOm8yRvr/1lXhbJId6j0Y2QZVXvCzVGuA 58Q= ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri May 21 11:45:00 2010 ;; MSG SIZE rcvd: