DNSSEC Validation not working

Fri Jun 6 20:40:19 UTC 2025

Hello!

I run a server with Bind9.18 on Alma9.

It acts as the nameserver for two domains. (with glue records from the
registrar).

DNSSEC is enabled but somehow outbound queries are not validated?
Domains with dnssec do have the "ad" flag though. The local domains somehow
dont have the ad flag.

example:

dig www.dnssec-failed.org +dnssec @localhost

; <<>> DiG 9.18.29 <<>> www.dnssec-failed.org +dnssec @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54441
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: ab33b7cb2be017660100000068434ae5a046bf6060941c68 (good)
;; QUESTION SECTION:
;www.dnssec-failed.org.         IN      A

;; ANSWER SECTION:
www.dnssec-failed.org.  6086    IN      A       68.87.109.242
www.dnssec-failed.org.  6086    IN      A       69.252.193.191
www.dnssec-failed.org.  6086    IN      RRSIG   A 5 3 7200 20250621145120
20250604144620 44973 dnssec-failed.org.
6aHzJob+AUdBOyR9aErfXgtSnfE/gdQhiz1wdoZJD0lLZwhOhcD2OjA0
ct6vQjUWkQtu6SGVhKvvNsWtI6KqFLdBUc3QbnlsO3/tDk3/Powl7gdV
CRqnj7Ridxjwyk5xYPurcZA/6dJK48uAFZsR5hlLCxcZN9vplBhlU6jz +9w=

I believe the answer should be SERVFAIL?

This is my config, I have tried with "auto" and "yes".

options {
listen-on port 53 {
any;
};
listen-on-v6 port 53 {
any;
};
listen-on port 853 tls local-tls {
any;
};
listen-on-v6 port 853 tls local-tls {
any;
};
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";

/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
  recursion.
- If your recursive DNS server has a public IP address, you MUST enable
access
  control to limit queries to your legitimate users. Failing to do so will
  cause your server to become part of large scale DNS amplification
  attacks. Implementing BCP38 within your network would greatly
  reduce such attack surface
*/
recursion yes;

dnssec-validation auto;

managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

zone "vom-bruch.com" {
type master;
file "/var/named/vom-bruch.com.hosts";
allow-transfer {
127.0.0.1;
localnets;
};
};
zone "eloi.at" {
type master;
file "/var/named/eloi.at.hosts";
allow-transfer {
127.0.0.1;
localnets;
213.255.218.23;
2a00:98c7:1000:1300:6e4b:90ff:fe57:e7b1;
};
};
tls local-tls {
    cert-file "/etc/letsencrypt/live/vom-bruch.com/fullchain.pem";
    key-file "/etc/letsencrypt/live/vom-bruch.com/privkey.pem";
    dhparam-file "/var/cache/bind/dhparam.pem";
    protocols { TLSv1.2; TLSv1.3; };
    ciphers
"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256";
    prefer-server-ciphers yes;
    session-tickets no;
};

statistics-channels { inet 127.0.0.1 port 8053 ; };

Any ideas?

Thanks,
Luca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250606/99375b19/attachment.htm>