Dig +topdown

Daniel McDonald dan.mcdonald at austinenergy.com
Fri Jul 1 16:09:48 UTC 2011

I set up a zone with dnssec, and wanted to verify that it was working
properly.  But I appear to have trouble with the root KSK.

$ dig +dnssec danmcdonald.us +topdown

;; No trusted key, +sigchase option is disabled

; <<>> DiG 9.7.3-P1 <<>> +dnssec danmcdonald.us +topdown

I appear to have the managed-keys-zone loading properly:

In named.conf, I have the managed-keys stanza with the initial key.  Named
loaded the mananged-keys-zone file and loads the zone at startup:
01-Jul-2011 08:40:54.738 general: info: managed-keys-zone ./IN: loaded
serial 2

[named]$ cat managed-keys.bind
$TTL 0    ; 0 seconds
@            IN SOA    . . (
                2          ; serial

I have the dnssec flags enabled in the options{} stanza:
        dnssec-enable yes;
        dnssec-validation yes;

It appears that sigchase is enabled in named:
[named]$ /usr/sbin/named -V
BIND 9.7.3-P1 built with 'x86_64-mandriva-linux-gnu' '--program-prefix='
'--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin'
'--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share'
'--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/lib64'
'--sharedstatedir=/usr/com' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--x-includes=/usr/include'
'--x-libraries=/usr/lib64' '--localstatedir=/var'
'--disable-openssl-version-check' '--enable-threads' '--enable-largefile'
'--enable-ipv6' '--enable-filter-aaaa' '--enable-epoll'
'--with-openssl=/usr' '--with-gssapi=/usr' '--disable-isc-spnego'
'--with-randomdev=/dev/urandom' '--with-libxml2=yes'
'--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-bdb=no'
'--with-dlz-filesystem=yes' '--with-dlz-ldap=yes' '--with-dlz-odbc=no'
'--with-dlz-stub=yes' 'build_alias=x86_64-mandriva-linux-gnu'
'target_alias=x86_64-mandriva-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wformat
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector
--param=ssp-buffer-size=4 -fstack-protector-all -DLDAP_DEPRECATED' 'LDFLAGS=
-Wl,--as-needed -Wl,--no-undefined -Wl,-z,relro -Wl,-O1 -Wl,--build-id
-Wl,--as-needed -Wl,--no-undefined -Wl,-z,relro -Wl,-O1 -Wl,--build-id
-Wl,--as-needed -Wl,--no-undefined -Wl,-z,relro -Wl,-O1 -Wl,--build-id
-Wl,--as-needed -Wl,--no-undefined -Wl,-z,relro -Wl,-O1 -Wl,--build-id'

Any advise as to what I might be doing wrong?

Daniel J McDonald, CCIE # 2495, CISSP # 78281

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110701/5d4f7c75/attachment.html>

More information about the bind-users mailing list