Issue with DNSSEC (BIND 9.10.3-P4-Raspbian <id:ebd72b3>)

Tony Finch dot at
Mon Oct 2 16:14:09 UTC 2017

Dirk Gottschalk via bind-users <bind-users at> wrote:
> The bind.keys file is available and I set dnssec-validation and dnssex-
> lookaside to auto.

That should work - however you should omit dnssec-lookaside since it does
not do anything any more. I also prefer not to have a bind.keys file and
instead I rely on the compiled-in keys, because that's one less thing to
keep up-to-date.

> But every time I try to resolve a Name ( for example) I get a
> SERVFAIL with dig. Turning the above options off and usiung dif with
> +dnssec option I can see RRSIG for the Domain and for the root server.

That's a bit puzzling.

> 30-Sep-2017 01:26:50.534 dnssec: validating ./NS: attempting insecurity proof
> 30-Sep-2017 01:26:50.534 dnssec: validating ./NS: insecurity proof failed
> 30-Sep-2017 01:26:50.534 dnssec: validating ./NS: got insecure response; parent indicates it should be secure

I think these log lines suggest that something is stripping DNSSEC records
somewhere, and there are similarly suspicious lines later in the log.

To get more information, try running:

$ delv +vtrace

which will give you slightly more debugging options than fiddling with
`named`. You can get a trace of response messages using +mtrace, or you
can point `delv` at a different server using @ etc.

f.anthony.n.finch  <dot at>  -  I xn--zr8h punycode
Biscay: Southwest veering northeast, 4 or 5. Moderate or rough. Occasional
rain. Moderate, occasionally poor.

More information about the bind-users mailing list