Secure zone acting insecure
Robert Martin
rmartin at viclink.com
Sat Apr 28 06:58:18 UTC 2001
I am experimenting with a secure zone for the first time, using bind
9.1.0. I've produced a secure zone file (the signed file) using the
tools that come with it, and I've replaced the insecure zone file
with the signed file in named.conf. I've looked over the signed file,
and it seems correct: every record has a SIG and NXT record
associated with it. I've used both DSA and RSA keys.
The problem comes when I use dig to interrogate the server. When I
make a request of the form:
dig @127.0.0.1 www.mycom.example.
all I get back is the address record without a SIG or KEY in the
reply. I've also tried to generate a NXT reply with a bad name, but
the reply is a conventional NXDOMAIN error. I believe it's accessing
the correct zone file, because when I ask for ANY or SIG records,
then I do get them in the reply.
I've looked at the messages log to verify that it is 9.1 that's
starting (and not 8.x), and it starts without errors. I've also tried
+CD in the request, but that didn't seem to help.
I'm hoping that there is an easy fix, like adding some directive to
my config file. Any help is greatly appreciated.
Robert Martin
More information about the bind-users
mailing list