Cannot configure BIND as a DNSSEC validator

B C brettlists at gmail.com
Wed May 21 08:10:26 UTC 2008 

Stephane,
    there was an extra config option added in 9.4
dnssec-validation [yes]no]

This defaults to no, so you need to add it to your config.

Hope it helps

Brett



On Wed, May 21, 2008 at 8:36 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr>
wrote:

> I try, for the first time, to enable DNSSEC validation on a recursive
> BIND name server (9.4.2, so Mark will not scream Upgrade!)
>
> I followed the instructions in
> <http://www.nlnetlabs.nl/dnssec_howto/#x1-40001>.
>
> I get no ad bit in dig's output:
>
> % dig +dnssec @127.0.0.1 SOA sources.org
>
> ; <<>> DiG 9.4.2 <<>> +dnssec @127.0.0.1 SOA sources.org
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13389
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 4
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;sources.org.                   IN      SOA
>
> ;; ANSWER SECTION:
> sources.org.            86400   IN      SOA     ns3.bortzmeyer.org.
> hostmaster.bortzmeyer.org. 2008042203 7200 3600 604800 43200
> sources.org.            86400   IN      RRSIG   SOA 3 2 86400
> 20080522104407 200           80422104407 55957 sources.org.
> CCERmkafyJUEwJN3QHF/kPYsrqNORNUInAbxz2RmbxZg4vqn4e14PvI=
>
> OK, so there is something wrong in my configuration. The problem is
> that I tried to enable logging to debug:
>
>
>  logging {
>          channel dnssec_log {             // a DNSSEC log channel
>                  file "/var/tmp/bindlog/dnssec.log" size 20m;
>                  print-time yes;        // timestamp the entries
>                  print-category yes;    // add category name to entries
>                  print-severity yes;    // add severity level to entries
>                  severity debug 7;      // print debug message <= 7
>          };
>
> And the log file is created but is always empty, so debugging is
> difficult.
>
> The configuration:
>
> options {
>
>        ...
>
>        dnssec-enable yes;
>
> };
>
> trusted-keys {
>
>           "sources.org." 256 3 3
> "CL9vwM+5gCMZdycMOYJQ7lSspHDTsaZmZkDRl+KNx/VytmbPS
> fcdYmhJ JHyTdGpzqXmm6qEd4Kpyqbd59RXv9JCVVM3MntiX/hruxbB3WsV0hlVe
> j1IuWFDncJFLWha
> D9UjgGm+UoqlQJGVJrGZf7KvwL4iKZhr1fiDEJFD7
> e9cxU8dojhHpmmAOZLjEYKytDMB0rj8/Mnm5cV
> Vu29UFS+0yjvkdbQD0 EJ9FwF/8MwG4DHj6ZtFwxeNp2NCD6oj0kxDi5ktY0rQtSv506aAMmGBq
> S6tN
> no+g9KgCLZ5jk5e8fpl9Rlmd2SlVMAyf8E3C9joBZqCqYX+VcooS
> rcvgn/4m6CTDPxK+DuE+KW5/NiE
> 062MKdID7xAxiCj14Suj9K9TKL60b
> uuFagJ3qTjhS5C62uPk8U9+zHpQ0qjcb0gv3/M+lRcXi46g0OF
> 17cTLy 83lgU6s2ApMmaboeUbm23lfCEl8B6R2BhE98mfoDNg+Xlj63X8w93LCo
> XP/c1SZivNolol/K
> y6apULe3euFuwdOFfYCR";
>
>        };
>
>  logging {
>    // See above
>
>

More information about the bind-users mailing list