DNSSEC validation on 9.7.4 not working

Frank Bulk frnkblk at iname.com
Wed Jun 24 02:20:55 UTC 2015


I'm running BIND 9.7.3 on Debian and having trouble configuring DNSSEC
validation.  

I'm using the excellent guides at
http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html#easy-start-guide-
for-recursive-servers and
https://www.surf.nl/binaries/content/assets/surf/en/knowledgebase/2012/rappo
rt_Deploying_DNSSEC_v20.pdf and http://dnssec.vs.uni-due.de/ which provide
9.7.x configuration instructions and so I'm feeling a bit slow that I can't
make this work.

I'm have a copy of bind.keys from
https://www.isc.org/downloads/bind/bind-keys/ in /etc/bind/

This statement in /etc/bind/bind.conf:

managed-keys {
      "." initial-key 257 3 8
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";
};

and the following in /etc/bind/bind.conf.options:

options {
       <snip>
       dnssec-enable yes;
       dnssec-validation yes;
       <snip>
}

But when I issue "rdnc reconifg" I immediately get repeated log lines about
the following and then similar statements for each domains:

23-Jun-2015 20:43:47.402 dnssec: info:   validating @0x7fcec948ce40: com DS:
no valid signature found
23-Jun-2015 20:43:47.402 dnssec: info:   validating @0x7fcec8c41bf0: com DS:
no valid signature found
23-Jun-2015 20:43:47.438 dnssec: info: validating @0x7fcec8c39b80: . NS: no
valid signature found
<snip>
23-Jun-2015 20:43:48.750 dnssec: info: validating @0x7fced04fd9e0: . NS: no
valid signature found
23-Jun-2015 20:43:48.754 dnssec: info: validating @0x7fcee55996a0:
a1075.dscg.akamai.net AAAA: bad cache hit (net/DS)
23-Jun-2015 20:43:48.757 dnssec: info: validating @0x7fceca621970:
wwwp.wip.rackspace.com AAAA: bad cache hit (com/DS)
23-Jun-2015 20:43:48.759 dnssec: info: validating @0x7fceca621970:
a1526.dscg.akamai.net AAAA: bad cache hit (net/DS)
23-Jun-2015 20:43:48.759 dnssec: info: validating @0x7fced04fd9e0:
a1784.dscg.akamai.net AAAA: bad cache hit (net/DS)
23-Jun-2015 20:43:48.761 dnssec: info: validating @0x7fced04fd9e0:
e1181.dscb.akamaiedge.net AAAA: bad cache hit (net/DS)

Of course, once the TLDs aren't considered valid everything goes south.  

What am I doing wrong?

Regards,

Frank Bulk



More information about the bind-users mailing list