.onion and dnssec

Erich Eckner bind at eckner.net
Mon Nov 11 19:00:47 UTC 2019


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Tony,

On Mon, 11 Nov 2019, Tony Finch wrote:

> Erich Eckner <bind at eckner.net> wrote:
>>
>> However, I encounter the issue here:
>> https://lists.isc.org/mailman/htdig/bind-users/2011-November/085536.html
>
> If you are running 9.14 (or newer) you can use the validate-except
> configuration option. In older versions you can use `rndc nta` but
> that is very inconvenient if you need a long-term exception.

I'm running 9.14.7 and tried both, but while it does not give any errors, 
the lookup still fails (`rndc nta onion` is logged successfully, so it 
seems to do the right thing). I have also a hard time, generating some 
useful debug output - setting `-d 9` does not give additional information 
in the system log. And running named manually with -d 9 prints nothing to 
stdout (though, it seems, it generates a log file, then)

Digging a little through my configuration, I noticed, that "." is actually 
a slave zone:

zone "." in {
         type slave;
         file "/etc/opennic/slave/tld-root";
         notify no;
         masters {
                 45.56.115.189;                          # ns0.opennic.glue
                 45.56.116.224;                          # ns0.opennic.glue
                 2001:470:1f0e:8a0::2;                   # ns0.opennic.glue
                 2600:3c02::f03c:91ff:fe33:e1ba;         # ns0.opennic.glue
         };
};

Might this be an issue? (I notice, that the lookup succeeds when I comment 
out the root zone.)

Cheers,
Erich

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl3Jr+EACgkQCu7JB1Xa
e1oB3w//XDc4qamyWEgKc/kEDwcmE0EKCYZnA7uP5D/yQjm0wHLUbz+mOccB7x22
S+G4FE320B5E7r3mHBNAS441G/9tRdAhH69DlTQUsUyyE5g0ETP/8lyoPcZdJLwJ
Uip/ibaff71AE+HURre8xOIG0yTvPyA1rOJ7viGS99TSPLLC35QhAU5niPw6KhPt
398ApmJab3cTLtO+Vg+aRZLhMmPxNdbeJCIF7pKsHqFMOde2P+Ru5bvnGIxf6Fmi
WPpHY+EG26A7cD0XfQKvskjgAlcgLW2SinLV6NwScjH60fxIhzWgKe2QH9+Z5GDi
NKH8MeGPCDs9KHI5cn4lBJ6eCFSbXVmWa9J+MBcbOB7OdHBuBLm1Vbvu6py65djz
hlfSZ4HXgCHTUjipSGkLIvcG2tcVwyiRA8k6vBTrNjY6orFW1E52MaRvtml0aM16
xmOwfhlSuFPZ2X/l8m8hR5/Sz6aEyBGBl6tK56ESmvgYoOhiAVke7PGGBnArP8N2
BpeZQn5DTXg0tAtr4mjEetTeb2LJUa29cnWYdkheN3+2kK4eloSfAEynDfgpzfVu
zbZpayZIXzQf8F2XmtEOgEyTWJiKa+lvwJHrqelGpqFsMinPSJfqYeKMguEG32p5
w8N+QBDI1jlmjqhiYn0A9ww4AgtDBspDD6CYIgX1YA2Bu3kv2Q8=
=64oN
-----END PGP SIGNATURE-----


More information about the bind-users mailing list