DNSSEC validation works with DLV, but not with just trusted-key
Hanno Böck
hanno at hboeck.de
Wed Nov 25 15:19:46 UTC 2009
Hi,
Maybe I'm getting something wrong here, but as far as I understand, when I
enable dnssec and dnssec-validation and have a zone with a trusted-key, bind
should not answer to requests for bad dnssec signatures.
This is my config:
trusted-keys {
org. 257 3 7
"AwEAAYpYfj3aaRzzkxWQqMdl7YExY81NdYSv+qayuZDodnZ9IMh0bwMcYaVUdzNAbVeJ8gd6jq1s
R3VvP/SR36mmGssbV4Udl5ORDtqiZP2TDNDHxEnKKTX+jWfytZeT7d3AbSzBKC0v7uZrM6M2eoJn
l6id66rEUmQC2p9DrrDg9F6tXC9CD/zC7/y+BNNpiOdnM5DXk7HhZm7ra9E7ltL13h2mx7kEgU8e
6npJlCoXjraIBgUDthYs48W/sdTDLu7N59rjCG+bpil+c8oZ9f7NR3qmSTpTP1m86RqUQnVErifr
H8KjDqL+3wzUdF5ACkYwt1XhPVPU+wSIlzbaAQN49PU=";
};
options {
directory "/var/bind";
listen-on-v6 { none; };
listen-on { 127.0.0.1; };
pid-file "/var/run/named/named.pid";
dnssec-enable yes;
dnssec-validation yes;
};
Now, a
dig baddata-A.test.dnssec-tools.org @localhost
gives me an answer:
;; ANSWER SECTION:
baddata-A.test.dnssec-tools.org. 86400 IN A 75.119.216.30
When I enable DLV-validation with
dnssec-lookaside . trust-anchor dlv.isc.org.;
it works and I get no A-record in the answer.
But that shouldn't be needed if I have a key for that zone.
Am I wrong or is bind wrong?
--
Hanno Böck Blog: http://www.hboeck.de/
GPG: 3DBD3B20 Jabber/Mail: hanno at hboeck.de
http://schokokeks.org - professional webhosting
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20091125/d4530bad/attachment.bin>
More information about the bind-users
mailing list