testing validation
Alan Batie
alan at peak.org
Wed Apr 18 17:51:26 UTC 2012
On 4/18/12 10:33 AM, Spain, Dr. Jeffry A. wrote:
> Your post is somewhat unclear to me. Querying from my bind 9.9.0 recursive resolver "dig @localhost raindrop.us +dnssec", I get an AD flag returned, suggesting that dnssec is working for raindrop.us. In your query "dig +dnssec +sigchase soa raindrop.us", is the resolver dnssec-enabled? I assume this would be one of the resolvers listed in your resolv.conf file. It appears that ns6.peak.org is not a recursive resolver. Does it have a zone file for raindrop.us?
That's somewhat reassuring in that at least the authoritative server
seems to be working, meaning it's my resolver that isn't.
Sorry about the clarity - I am working with two machines, each running
bind 9.9.0: ns6.peak.org is the test authoritative server which is
serving the test domain, raindrop.us. I'm using another machine as a
dnssec enabled resolver to do the testing from with this named.conf:
include "/var/named/rdrop.blocks";
include "/var/named/peak.blocks";
options {
directory "/var/named";
pid-file "/var/run/named/pid";
listen-on { 127.0.0.1; };
listen-on-v6 { ::1; };
allow-query {
127.0.0.1;
::1;
rdrop_blocks;
peak_blocks;
};
allow-recursion {
127.0.0.1;
::1;
rdrop_blocks;
peak_blocks;
};
allow-transfer { none; };
dnssec-enable yes;
dnssec-validation yes;
masterfile-format text;
query-source address 127.0.0.1 port *;
version "named";
};
managed-keys {
"." initial-key 257 3 8
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= ";
};
zone "." {
type hint;
file "named.root";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "master/localhost-reverse.db";
};
More information about the bind-users
mailing list