Cannot configure BIND as a DNSSEC validator
B C
brettlists at gmail.com
Wed May 21 08:10:26 UTC 2008
Stephane,
there was an extra config option added in 9.4
dnssec-validation [yes]no]
This defaults to no, so you need to add it to your config.
Hope it helps
Brett
On Wed, May 21, 2008 at 8:36 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr>
wrote:
> I try, for the first time, to enable DNSSEC validation on a recursive
> BIND name server (9.4.2, so Mark will not scream Upgrade!)
>
> I followed the instructions in
> <http://www.nlnetlabs.nl/dnssec_howto/#x1-40001>.
>
> I get no ad bit in dig's output:
>
> % dig +dnssec @127.0.0.1 SOA sources.org
>
> ; <<>> DiG 9.4.2 <<>> +dnssec @127.0.0.1 SOA sources.org
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13389
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 4
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;sources.org. IN SOA
>
> ;; ANSWER SECTION:
> sources.org. 86400 IN SOA ns3.bortzmeyer.org.
> hostmaster.bortzmeyer.org. 2008042203 7200 3600 604800 43200
> sources.org. 86400 IN RRSIG SOA 3 2 86400
> 20080522104407 200 80422104407 55957 sources.org.
> CCERmkafyJUEwJN3QHF/kPYsrqNORNUInAbxz2RmbxZg4vqn4e14PvI=
>
> OK, so there is something wrong in my configuration. The problem is
> that I tried to enable logging to debug:
>
>
> logging {
> channel dnssec_log { // a DNSSEC log channel
> file "/var/tmp/bindlog/dnssec.log" size 20m;
> print-time yes; // timestamp the entries
> print-category yes; // add category name to entries
> print-severity yes; // add severity level to entries
> severity debug 7; // print debug message <= 7
> };
>
> And the log file is created but is always empty, so debugging is
> difficult.
>
> The configuration:
>
> options {
>
> ...
>
> dnssec-enable yes;
>
> };
>
> trusted-keys {
>
> "sources.org." 256 3 3
> "CL9vwM+5gCMZdycMOYJQ7lSspHDTsaZmZkDRl+KNx/VytmbPS
> fcdYmhJ JHyTdGpzqXmm6qEd4Kpyqbd59RXv9JCVVM3MntiX/hruxbB3WsV0hlVe
> j1IuWFDncJFLWha
> D9UjgGm+UoqlQJGVJrGZf7KvwL4iKZhr1fiDEJFD7
> e9cxU8dojhHpmmAOZLjEYKytDMB0rj8/Mnm5cV
> Vu29UFS+0yjvkdbQD0 EJ9FwF/8MwG4DHj6ZtFwxeNp2NCD6oj0kxDi5ktY0rQtSv506aAMmGBq
> S6tN
> no+g9KgCLZ5jk5e8fpl9Rlmd2SlVMAyf8E3C9joBZqCqYX+VcooS
> rcvgn/4m6CTDPxK+DuE+KW5/NiE
> 062MKdID7xAxiCj14Suj9K9TKL60b
> uuFagJ3qTjhS5C62uPk8U9+zHpQ0qjcb0gv3/M+lRcXi46g0OF
> 17cTLy 83lgU6s2ApMmaboeUbm23lfCEl8B6R2BhE98mfoDNg+Xlj63X8w93LCo
> XP/c1SZivNolol/K
> y6apULe3euFuwdOFfYCR";
>
> };
>
> logging {
> // See above
>
>
More information about the bind-users
mailing list