Validating a DNSSEC installation

Erik Lotspeich erik at lotspeich.org
Wed Jun 17 06:25:55 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Chris,

Thanks for your response -- that explains it.  I hope that you don't
mind if I continue this discussion with another question.

I changed my configuration to use views to separate my external zone
(for which BIND is authoritative) from internal clients (which should
use BIND as a validating resolver).  I now receive the expected behavior
- -- sort of.

root at starfish:/home/erik# dig +dnssec +adflag @localhost lotspeich.org

; <<>> DiG 9.6.1 <<>> +dnssec +adflag @localhost lotspeich.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60454
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
[snip]

root at starfish:/home/erik# dig +adflag @localhost lotspeich.org

; <<>> DiG 9.6.1 <<>> +adflag @localhost lotspeich.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3194
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

As you can see, the ad bit is set when +dnssec is used along with
+adflag.  However, I can receive the ad bit without +dnssec when making
other queries:

root at starfish:/home/erik# dig +adflag isc.org.

; <<>> DiG 9.6.1 <<>> +adflag isc.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6612
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

Is this expected or do I need to fine-tune my configuration further?

Thanks,

Erik.

Chris Buxton wrote:
> On Jun 13, 2009, at 4:59 AM, Erik Lotspeich wrote:
>> Is it normal that a validating resolver can't validate a domain it is
>> authoritative for?
> 
> Absolutely. As Alan Clegg wrote not long ago on this list, this is why a
> DNSSEC validating resolver should not be authoritative for any signed
> zones.
> 
> Chris Buxton
> Professional Services
> Men & Mice
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iEYEARECAAYFAko4jHMACgkQY21D/n6bGwcU8QCgvliX8Hbu3A0BvTjbo9LxaS8B
EBkAn0m0N9btGvXrGaiORug3M03RF7Eh
=Fpf5
-----END PGP SIGNATURE-----



More information about the bind-users mailing list