<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">I think Mark jumped on something else, your zone is seriously broken and not because of DNSSEC:<div><br></div><div><a href="https://dnssec-analyzer.verisignlabs.com/newideatest.site">https://dnssec-analyzer.verisignlabs.com/newideatest.site</a><br><br>All of these NSes must have the correct zone content and not be broken:</div><div><br></div><div><div>newideatest.site.       3600    IN      NS      jupiter.eglifamily.name.</div><div>newideatest.site.       3600    IN      NS      uz5qfm8n244kn4qz8mh437w9kzvpudduwyldp5361v9n0vh8sx5ucu.free.ns.buddyns.com.</div><div>newideatest.site.       3600    IN      NS      uz5154v9zl2nswf05td8yzgtd0jl6mvvjp98ut07ln0ydp2bqh1skn.free.ns.buddyns.com.</div><div>newideatest.site.       3600    IN      NS      uz52u1wtmumlrx5fwu6nmv22ntcddxcjjw41z8sfd6ur9n7797lrv9.free.ns.buddyns.com.</div><div>newideatest.site.       3600    IN      NS      uz5w6sb91zt99b73bznfkvtd0j1snxby06gg4hr0p8uum27n0hf6cd.free.ns.buddyns.com.</div><br><div dir="ltr"><div>--</div>Ondřej Surý — ISC (He/Him)<div><br></div><div>My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.</div></div><div dir="ltr"><br><blockquote type="cite">On 16. 5. 2021, at 8:45, Dan Egli via bind-users <bind-users@lists.isc.org> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><span>Upgrade to WHAT? You said it was fixed in 9.11.25, but isn't that a lot OLDER than 9.16.15, which is what I'm running?</span><br><span>jupiter ~ # named -v</span><br><span>BIND 9.16.15 (Stable Release) <id:4469e3e></span><br><span>jupiter ~ # dig -v</span><br><span>DiG 9.16.15</span><br><span></span><br><span></span><br><span>On 5/16/2021 12:06 AM, Mark Andrews wrote:</span><br><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><blockquote type="cite"><span>On 16 May 2021, at 10:17, Dan Egli via bind-users <bind-users@lists.isc.org> wrote:</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>On 5/10/2021 12:38 PM, Tony Finch wrote:</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Dan Egli <dan@newideatest.site></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>  wrote:</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Still not working for me. The dig doesn't report anything, and I don't HAVE a</span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>keyfile since i'm using inline signing. Or does inline signing still require a</span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>key to be generated?</span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Yes, you need to do your own key management with inline-signing using</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>dnssec-keygen. The new dnssec-policy feature can do automatic key</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>management for you.</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Tony.</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>So, I updated the settings. Now I have keyfiles generated by bind, as well as a binary .zone.signed in addition to the plain text .zone which has no DNSSEC information at all in it. I ran the signing routine and bind said it was signed good. So I obtained the DS and put in the registrar. Now I am getting SERVFAIL errors whenever I try to query my zone from another name server. Here's what I did:</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>#dig newideatest.site dnskey | dnssec-dsfromkey -2 -f - newideatest.site</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>newideatest.site. IN DS 49236 13 2 <LONG HASH></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>Ok. Copy the long hash to the Registrar, plug it in. Check, done that.</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>  # dig mx newideatest.site @8.8.4.4</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>; <<>> DiG 9.16.15 <<>> mx newideatest.site @8.8.4.4</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>;; global options: +cmd</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>;; Got answer:</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 631</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>;; OPT PSEUDOSECTION:</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>; EDNS: version: 0, flags:; udp: 512</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>;; QUESTION SECTION:</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>;newideatest.site.              IN      MX</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>;; Query time: 50 msec</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>;; SERVER: 8.8.4.4#53(8.8.4.4)</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>;; WHEN: Sat May 15 18:12:44 MDT 2021</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>;; MSG SIZE  rcvd: 45</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>ServFail?! WHAT?</span><br></blockquote></blockquote><blockquote type="cite"><span>This is a known bug fixed in BIND 9.11.25.  Upgrade.  Once the DS is added to .site for</span><br></blockquote><blockquote type="cite"><span>newideatest.site the resolution will work.</span><br></blockquote><blockquote type="cite"><span>   </span><br></blockquote><span></span><br><span>-- </span><br><span>Dan Egli</span><br><span>From my Test Server</span><br><span></span><br><div><OpenPGP_0x11B7451DF2015959.asc></div><span>_______________________________________________</span><br><span>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list</span><br><span></span><br><span>ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.</span><br><span></span><br><span></span><br><span>bind-users mailing list</span><br><span>bind-users@lists.isc.org</span><br><span>https://lists.isc.org/mailman/listinfo/bind-users</span><br></div></blockquote></div></body></html>