DNSSEC auto-dnssec issue bind-9.7.2-P3

Kalman Feher kalman.feher at melbourneit.com.au
Fri Jan 21 10:23:50 UTC 2011 

The only way I can replicate the behaviour is with dnssec-enable no or with
an unsigned version of the zone in another view. Assuming you've not
overlapped your views in such a way (it was a very contrived test), I think
you'll need to provide a bit more information on your configuration.

-options
-relevant view statement
-The zone statement (from the hashed file if you are using the new dynamic
zones feature).
-The zone itself
-Query logs. 

Without the full dig output it is hard to see what is actually happening.
I'd suggest including that as well.

If you dig axfr or dig rrsig are the signatures present?



On 21/01/11 9:13 AM, "Zbigniew Jasiński" <szopen at nask.pl> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> W dniu 2011-01-19 18:38, Hauke Lampe pisze:
> 
>> Another thing you might check:
>> 
>> With "dnssec-enable no;" in named.conf, BIND still does its automatic
>> DNSSEC signing but won't add RRSIG to responses.
>> 
>> I ran across such a configuration lately. Your problem sounds similar.
>> 
>> 
>> Hauke.
> 
> that was first thing which I've checked:
> 
> dnssec-enable yes;
> 
> and it's of course enabled.
> 
> I see in journal file:
> 
> ./sbin/named-journalprint var/zone/example.jnl
> 
> add example.                 3600    IN      RRSIG   DNSKEY 10 1 3600
> 20110218225336 20110119215336 57635 example.
> Xo9o137Q4BmELA0wumTLujJkHq0b/tDbYvuFCfZDfcbp8cuutDJUxCPy
> <CUT>
> add example.                 3600    IN      RRSIG   DNSKEY 10 1 3600
> 20110218225336 20110119215336 57636 example.
> SfFa5xjRtb/VBm3Zv1j31VRlqJORM0laX1PuZ+Asi6IFutH4q5TeknYN
> <CUT>
> add example.                 3600    IN      RRSIG   SOA 10 1 3600
> 20110218225336 20110119215336 57635 example.
> wYZ/nZbnN6HGrWTDLkfbyW4dQGMVs1ZVY+r8zc9t92ykxu7ipycxnITW
> <CUT>
> 
> also RRSIG for SOA record and for DNSKEY records are present in plain
> zone file but still named isn't responding with correct signatures.
> 
> - -- 
> regards
> 
> zbigniew jasinski
> [SYStem OPerator]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iQIcBAEBAgAGBQJNOUAtAAoJEH26UYiRhe/goMcP/i5MLxBFh8+Fl2R2oqIKdRR1
> ntBcfXBK1niJmlDpFzGu97gXNxoofk/bWVEhb+eo/e4+ln8bSuOiKVV5PQJ8zq1t
> ke5jCIw7iRdBQgMcZNHQCWcI1lCWnPc0SxcCtw6u2ZItfFxqwANwFJw0oXwX/C8i
> iVGflBdSUI9G/MGIaCsiwBdNBZnVhgrVz5F3KHXKC6aH49HI9kieXqz8v9pczcGR
> xoy/RRrgObvb8N4jz2GA+fq8thFoKzZkoWLWG/5eE9uYd8oY3wLHIoAt0jBfGXOR
> UXrFQ1QDqjUdotb3ovUGH2NH1NpWnITYm9gDWqEo3egaLpQU6itc2z57BNkuIkPS
> qn3m2rgnEKy+p6flLYNxwyYnrXWVIpti73r+aPpkWQpWptEBcyCIl2su6yLZPv1y
> R7ioFCualJLOWWqio9w5hQeRUvgrF6w7XBc97PMWgwLSrjHF0XADOWn9IqB4/XgA
> agPSo7p8D6mmfpnv9c+q1JVIUEhEqihNs5/c1/dhRRn4SRIucvvzuVlXB/gqVQep
> i+Ft2Tq3zgepBOxLGtZQ22o7VoBSWj8tHT6qRDG9qChsOXE054eN+r8xNbJ4rRzu
> oASw1n11vm0JAqceMeadCc0Zz2y4WbIJO7jEsPTp9KUHPNwbDmNnMH7pWyHvxS4v
> oZD7PbxPnyDpwRerG7zh
> =Sp+3
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Kal Feher

More information about the bind-users mailing list