Validating a DNSSEC installation
Erik Lotspeich
erik at lotspeich.org
Wed Jun 17 06:25:55 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Chris,
Thanks for your response -- that explains it. I hope that you don't
mind if I continue this discussion with another question.
I changed my configuration to use views to separate my external zone
(for which BIND is authoritative) from internal clients (which should
use BIND as a validating resolver). I now receive the expected behavior
- -- sort of.
root at starfish:/home/erik# dig +dnssec +adflag @localhost lotspeich.org
; <<>> DiG 9.6.1 <<>> +dnssec +adflag @localhost lotspeich.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60454
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
[snip]
root at starfish:/home/erik# dig +adflag @localhost lotspeich.org
; <<>> DiG 9.6.1 <<>> +adflag @localhost lotspeich.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3194
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
As you can see, the ad bit is set when +dnssec is used along with
+adflag. However, I can receive the ad bit without +dnssec when making
other queries:
root at starfish:/home/erik# dig +adflag isc.org.
; <<>> DiG 9.6.1 <<>> +adflag isc.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6612
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
Is this expected or do I need to fine-tune my configuration further?
Thanks,
Erik.
Chris Buxton wrote:
> On Jun 13, 2009, at 4:59 AM, Erik Lotspeich wrote:
>> Is it normal that a validating resolver can't validate a domain it is
>> authoritative for?
>
> Absolutely. As Alan Clegg wrote not long ago on this list, this is why a
> DNSSEC validating resolver should not be authoritative for any signed
> zones.
>
> Chris Buxton
> Professional Services
> Men & Mice
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iEYEARECAAYFAko4jHMACgkQY21D/n6bGwcU8QCgvliX8Hbu3A0BvTjbo9LxaS8B
EBkAn0m0N9btGvXrGaiORug3M03RF7Eh
=Fpf5
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list