DNSSEC Validation not working

Mark Andrews marka at isc.org
Fri Jun 6 21:32:50 UTC 2025 

-- 
Mark Andrews

> On 7 Jun 2025, at 06:56, Darren Ankney <darren.ankney at gmail.com> wrote:
> 
> Hi Luca,
> 
> This is correct: dnssec-validation auto; If you use "yes" there, then
> you must supply a trust anchor.  Auto is the default.
> 
> The only idea I have is this:
> 
> zone "." IN {
> type hint;
> file "named.ca";
> };
> 
> You don't need this anymore.  BIND 9.18 will automatically find the
> root zones starting with built-in root zone data.  I think it is
> possible to break dnssec starting at the root with incorrect or old
> data in the hint file.  It cannot hurt anything to remove that.
> 
> Thank you,
> Darren Ankney
> 
>> On Fri, Jun 6, 2025 at 4:40 PM Luca vom Bruch <luca.es at gmail.com> wrote:
>> 
>> Hello!
>> 
>> I run a server with Bind9.18 on Alma9.
>> 
>> It acts as the nameserver for two domains. (with glue records from the registrar).
>> 
>> DNSSEC is enabled but somehow outbound queries are not validated? Domains with dnssec do have the "ad" flag though. The local domains somehow dont have the ad flag.
>> 
>> example:
>> 
>> dig www.dnssec-failed.org +dnssec @localhost
>> 
>> ; <<>> DiG 9.18.29 <<>> www.dnssec-failed.org +dnssec @localhost
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54441
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
>> 
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 1232
>> ; COOKIE: ab33b7cb2be017660100000068434ae5a046bf6060941c68 (good)
>> ;; QUESTION SECTION:
>> ;www.dnssec-failed.org.         IN      A
>> 
>> ;; ANSWER SECTION:
>> www.dnssec-failed.org.  6086    IN      A       68.87.109.242
>> www.dnssec-failed.org.  6086    IN      A       69.252.193.191
>> www.dnssec-failed.org.  6086    IN      RRSIG   A 5 3 7200 20250621145120 20250604144620 44973 dnssec-failed.org. 6aHzJob+AUdBOyR9aErfXgtSnfE/gdQhiz1wdoZJD0lLZwhOhcD2OjA0 ct6vQjUWkQtu6SGVhKvvNsWtI6KqFLdBUc3QbnlsO3/tDk3/Powl7gdV CRqnj7Ridxjwyk5xYPurcZA/6dJK48uAFZsR5hlLCxcZN9vplBhlU6jz +9w=
>> 
>> I believe the answer should be SERVFAIL?
>> 
>> This is my config, I have tried with "auto" and "yes".
>> 
>> options {
>> listen-on port 53 {
>> any;
>> };
>> listen-on-v6 port 53 {
>> any;
>> };
>> listen-on port 853 tls local-tls {
>> any;
>> };
>> listen-on-v6 port 853 tls local-tls {
>> any;
>> };
>> directory "/var/named";
>> dump-file "/var/named/data/cache_dump.db";
>> statistics-file "/var/named/data/named_stats.txt";
>> memstatistics-file "/var/named/data/named_mem_stats.txt";
>> secroots-file "/var/named/data/named.secroots";
>> recursing-file "/var/named/data/named.recursing";
>> 
>> /*
>> - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
>> - If you are building a RECURSIVE (caching) DNS server, you need to enable
>>  recursion.
>> - If your recursive DNS server has a public IP address, you MUST enable access
>>  control to limit queries to your legitimate users. Failing to do so will
>>  cause your server to become part of large scale DNS amplification
>>  attacks. Implementing BCP38 within your network would greatly
>>  reduce such attack surface
>> */
>> recursion yes;
>> 
>> dnssec-validation auto;
>> 
>> managed-keys-directory "/var/named/dynamic";
>> geoip-directory "/usr/share/GeoIP";
>> 
>> pid-file "/run/named/named.pid";
>> session-keyfile "/run/named/session.key";
>> 
>> /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
>> include "/etc/crypto-policies/back-ends/bind.config";
>> };
>> 
>> logging {
>>        channel default_debug {
>>                file "data/named.run";
>>                severity dynamic;
>>        };
>> };
>> 
>> zone "." IN {
>> type hint;
>> file "named.ca";
>> };
>> 
>> include "/etc/named.rfc1912.zones";
>> include "/etc/named.root.key";
>> 
>> zone "vom-bruch.com" {
>> type master;
>> file "/var/named/vom-bruch.com.hosts";
>> allow-transfer {
>> 127.0.0.1;
>> localnets;
>> };
>> };
>> zone "eloi.at" {
>> type master;
>> file "/var/named/eloi.at.hosts";
>> allow-transfer {
>> 127.0.0.1;
>> localnets;
>> 213.255.218.23;
>> 2a00:98c7:1000:1300:6e4b:90ff:fe57:e7b1;
>> };
>> };
>> tls local-tls {
>>    cert-file "/etc/letsencrypt/live/vom-bruch.com/fullchain.pem";
>>    key-file "/etc/letsencrypt/live/vom-bruch.com/privkey.pem";
>>    dhparam-file "/var/cache/bind/dhparam.pem";
>>    protocols { TLSv1.2; TLSv1.3; };
>>    ciphers "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256";
>>    prefer-server-ciphers yes;
>>    session-tickets no;
>> };
>> 
>> statistics-channels { inet 127.0.0.1 port 8053 ; };
>> 
>> Any ideas?
>> 
>> Thanks,
>> Luca
>> 
>> 
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>> 
>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>> 
>> 
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list