dnssec validation issue

Mark Andrews marka at isc.org
Fri Jun 19 01:10:28 UTC 2015


In message <1434674101.18744.119.camel at ns.five-ten-sg.com>, Carl Byington write
s:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I have multiple centos6 boxes running 9.10.2-P1, and almost everything
> looks good. However, one box seems to not be doing dnssec validation. It
> is possible that this behavior predates the latest updates and I just
> never noticed it.
> 
> A and B have essentially identical configuration, except that A is the
> master for some zones, and B is the slave pulling from A. Other than
> that, the /etc/named.conf is identical. A also has ipv6 connectivity,
> and B does not. The authoritative side works nicely on both. The
> recursive resolver is where the difference shows up.
> 
> On A:
> 
> dig www.dnssec-failed.org  @localhost
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19813
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 11
> ;; ANSWER SECTION:
> www.dnssec-failed.org.  7178    IN  A   68.87.109.242
> www.dnssec-failed.org.  7178    IN  A   69.252.193.191
> 
> 
> 
> On B:
> dig www.dnssec-failed.org  @localhost
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4969
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 

You don't have any trust anchors active.

To use the keys in "/etc/named.iscdlv.key" set "dnssec-validation auto;"

> /etc/named.conf:
> 
> options {
>     directory "/var/named";
>     allow-recursion { "friends"; };
>     dnssec-enable yes;
>     dnssec-validation yes;
>     bindkeys-file "/etc/named.iscdlv.key";
>     managed-keys-directory "/var/named/dynamic";
>     listen-on-v6 {any;};
>     ixfr-from-differences yes;
>     max-journal-size 2m;
>     notify yes;
>     response-policy { zone "rpz.five-ten-sg.com";}
>         qname-wait-recurse no;
>     filter-aaaa-on-v4 yes;
>     filter-aaaa { "brokenv6"; };
>     rate-limit {
>         responses-per-second 5;
>         errors-per-second    5;
>         nxdomains-per-second 40;
>         qps-scale            300;
>         exempt-clients { "friends"; };
>     };
> };
> 
> 
> A is neither master nor slave for dnssec-failed.org, and that domain is
> not mentioned in the rpz zone.
> 
> 
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
> 
> iEYEARECAAYFAlWDYtAACgkQL6j7milTFsHClQCeLKkTuQYlM4liB0UECG5Z4pui
> ujMAnj4wnUWqJj258pIlUFo0IONtkkEP
> =/QDW
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the bind-users mailing list