Cannot configure BIND as a DNSSEC validator

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed May 21 07:36:01 UTC 2008


I try, for the first time, to enable DNSSEC validation on a recursive
BIND name server (9.4.2, so Mark will not scream Upgrade!)

I followed the instructions in
<http://www.nlnetlabs.nl/dnssec_howto/#x1-40001>.

I get no ad bit in dig's output:

% dig +dnssec @127.0.0.1 SOA sources.org 

; <<>> DiG 9.4.2 <<>> +dnssec @127.0.0.1 SOA sources.org
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13389
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;sources.org.                   IN      SOA

;; ANSWER SECTION:
sources.org.            86400   IN      SOA     ns3.bortzmeyer.org. hostmaster.bortzmeyer.org. 2008042203 7200 3600 604800 43200
sources.org.            86400   IN      RRSIG   SOA 3 2 86400 20080522104407 200           80422104407 55957 sources.org. CCERmkafyJUEwJN3QHF/kPYsrqNORNUInAbxz2RmbxZg4vqn4e14PvI=

OK, so there is something wrong in my configuration. The problem is
that I tried to enable logging to debug:


 logging {
          channel dnssec_log {             // a DNSSEC log channel
                  file "/var/tmp/bindlog/dnssec.log" size 20m;
                  print-time yes;        // timestamp the entries
                  print-category yes;    // add category name to entries
                  print-severity yes;    // add severity level to entries
                  severity debug 7;      // print debug message <= 7
          };

And the log file is created but is always empty, so debugging is
difficult.

The configuration:

options {
        
        ...

        dnssec-enable yes;

};

trusted-keys {

           "sources.org." 256 3 3 "CL9vwM+5gCMZdycMOYJQ7lSspHDTsaZmZkDRl+KNx/VytmbPS
fcdYmhJ JHyTdGpzqXmm6qEd4Kpyqbd59RXv9JCVVM3MntiX/hruxbB3WsV0hlVe j1IuWFDncJFLWha
D9UjgGm+UoqlQJGVJrGZf7KvwL4iKZhr1fiDEJFD7 e9cxU8dojhHpmmAOZLjEYKytDMB0rj8/Mnm5cV
Vu29UFS+0yjvkdbQD0 EJ9FwF/8MwG4DHj6ZtFwxeNp2NCD6oj0kxDi5ktY0rQtSv506aAMmGBq S6tN
no+g9KgCLZ5jk5e8fpl9Rlmd2SlVMAyf8E3C9joBZqCqYX+VcooS rcvgn/4m6CTDPxK+DuE+KW5/NiE
062MKdID7xAxiCj14Suj9K9TKL60b uuFagJ3qTjhS5C62uPk8U9+zHpQ0qjcb0gv3/M+lRcXi46g0OF
17cTLy 83lgU6s2ApMmaboeUbm23lfCEl8B6R2BhE98mfoDNg+Xlj63X8w93LCo XP/c1SZivNolol/K
y6apULe3euFuwdOFfYCR";

        };

 logging {
    // See above


More information about the bind-users mailing list