DNSSEC validation works with DLV, but not with just trusted-key

Hanno Böck hanno at hboeck.de
Wed Nov 25 15:19:46 UTC 2009


Maybe I'm getting something wrong here, but as far as I understand, when I 
enable dnssec and dnssec-validation and have a zone with a trusted-key, bind 
should not answer to requests for bad dnssec signatures.

This is my config:

trusted-keys {
org. 257 3 7 

options {
        directory "/var/bind";
        listen-on-v6 { none; };
        listen-on {; };
        pid-file "/var/run/named/named.pid";

        dnssec-enable yes;
        dnssec-validation yes;

Now, a
dig baddata-A.test.dnssec-tools.org @localhost

gives me an answer:
baddata-A.test.dnssec-tools.org. 86400 IN A

When I enable DLV-validation with
dnssec-lookaside . trust-anchor dlv.isc.org.;
it works and I get no A-record in the answer.
But that shouldn't be needed if I have a key for that zone.

Am I wrong or is bind wrong?

Hanno Böck		Blog:		http://www.hboeck.de/
GPG: 3DBD3B20		Jabber/Mail:	hanno at hboeck.de

http://schokokeks.org - professional webhosting
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20091125/d4530bad/attachment.bin>

More information about the bind-users mailing list