Cannot configure BIND as a DNSSEC validator
Stephane Bortzmeyer
bortzmeyer at nic.fr
Wed May 21 07:36:01 UTC 2008
I try, for the first time, to enable DNSSEC validation on a recursive
BIND name server (9.4.2, so Mark will not scream Upgrade!)
I followed the instructions in
<http://www.nlnetlabs.nl/dnssec_howto/#x1-40001>.
I get no ad bit in dig's output:
% dig +dnssec @127.0.0.1 SOA sources.org
; <<>> DiG 9.4.2 <<>> +dnssec @127.0.0.1 SOA sources.org
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13389
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;sources.org. IN SOA
;; ANSWER SECTION:
sources.org. 86400 IN SOA ns3.bortzmeyer.org. hostmaster.bortzmeyer.org. 2008042203 7200 3600 604800 43200
sources.org. 86400 IN RRSIG SOA 3 2 86400 20080522104407 200 80422104407 55957 sources.org. CCERmkafyJUEwJN3QHF/kPYsrqNORNUInAbxz2RmbxZg4vqn4e14PvI=
OK, so there is something wrong in my configuration. The problem is
that I tried to enable logging to debug:
logging {
channel dnssec_log { // a DNSSEC log channel
file "/var/tmp/bindlog/dnssec.log" size 20m;
print-time yes; // timestamp the entries
print-category yes; // add category name to entries
print-severity yes; // add severity level to entries
severity debug 7; // print debug message <= 7
};
And the log file is created but is always empty, so debugging is
difficult.
The configuration:
options {
...
dnssec-enable yes;
};
trusted-keys {
"sources.org." 256 3 3 "CL9vwM+5gCMZdycMOYJQ7lSspHDTsaZmZkDRl+KNx/VytmbPS
fcdYmhJ JHyTdGpzqXmm6qEd4Kpyqbd59RXv9JCVVM3MntiX/hruxbB3WsV0hlVe j1IuWFDncJFLWha
D9UjgGm+UoqlQJGVJrGZf7KvwL4iKZhr1fiDEJFD7 e9cxU8dojhHpmmAOZLjEYKytDMB0rj8/Mnm5cV
Vu29UFS+0yjvkdbQD0 EJ9FwF/8MwG4DHj6ZtFwxeNp2NCD6oj0kxDi5ktY0rQtSv506aAMmGBq S6tN
no+g9KgCLZ5jk5e8fpl9Rlmd2SlVMAyf8E3C9joBZqCqYX+VcooS rcvgn/4m6CTDPxK+DuE+KW5/NiE
062MKdID7xAxiCj14Suj9K9TKL60b uuFagJ3qTjhS5C62uPk8U9+zHpQ0qjcb0gv3/M+lRcXi46g0OF
17cTLy 83lgU6s2ApMmaboeUbm23lfCEl8B6R2BhE98mfoDNg+Xlj63X8w93LCo XP/c1SZivNolol/K
y6apULe3euFuwdOFfYCR";
};
logging {
// See above
More information about the bind-users
mailing list