<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div>This is all I have in my zone on secondary:</div><div><br></div><div><p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures">zone "mylocal" {</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"> type secondary;</p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures"> file "/etc/bind/mylocal.saved";</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures"> primaries { </span> </p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures"> 192.168.40.142;</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures"> };</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures">};</span></p></div><div><span style="font-variant-ligatures: no-common-ligatures"><br></span></div><div><span style="font-variant-ligatures: no-common-ligatures">My primary is a little more complicated:</span></div><div><span style="font-variant-ligatures: no-common-ligatures"><br></span></div><div><span style="font-variant-ligatures: no-common-ligatures"><p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures">zone "mylocal" {</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures"> type primary;</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures"> file "/etc/bind/mylocal";</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"> notify yes;</p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures"> allow-update {</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures"> key kea_bind_DDNS_SEC;</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures"> };</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"> allow-transfer {</p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"> key "192.168.40.142-192.168.40.182-zone-transfer";</p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures"> };</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"> dnssec-policy default;</p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures">};</span></p><div><span style="font-variant-ligatures: no-common-ligatures"><br></span></div><div><span style="font-variant-ligatures: no-common-ligatures">I just removed the zone and .jnl files from secondary and restarted. The actual zone: mylocal.saved showed up immediately. About an hour later mylocal.saved.jnl appeared.</span></div></span></div><div><div><br><blockquote type="cite"><div>On Dec 16, 2022, at 10:59 AM, adrien sipasseuth <sipasseuth.adrien@gmail.com> wrote:</div><br class="Apple-interchange-newline"><div><div dir="ltr"><div>Hi,</div><div><br></div><div>I deleted my zone file <zone>.db on my slaves and I forced a transfer from the master.<br><br>Now it seems to work, I do have the RRSIG associated with my RRset A when I do a dig from my slave.<br><br>When I test my dig from my internal network I actually don't have the ad flag. But from the google resolver (<a href="https://dns.google/">https://dns.google/</a>) I have the flag.<br><br>To summarize:<br>- on my master : declaration of my policy and I use it in my zone configuration<br>- on the slaves : configuration of my zone, standard without mentioning dnssec-policy<br><br>What I observe:<br>- on the master: files <zone>.db, <zone>.db.jbk, <zone>.db.signed,<zone>.db.signed.jnl and my keys<br>- on the slaves: files <zone>.db<br><br>I don't understand why there is no <zone>.db.signed file on my slave knowing that a dig from a slave does return RRSIG. <br></div><div><br></div><div>
<div><span class="gmail-im">zone
"**************" {<br> type slave;<br> masters {
**************
; };<br> file "/
**************/
**************
/
**************
.db";<br></span>}; <br></div><div><br></div><div>Should I specify the <zone>.db or the <zone>.db.signed ? On the master or/and ths slaves ?<br><br></div></div><div>Regards,</div><div><br></div><div>Adrien<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le jeu. 15 déc. 2022 à 19:10, Darren Ankney <<a href="mailto:darren.ankney@gmail.com">darren.ankney@gmail.com</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div>I have a simple “mylocal” zone setup with a primary and secondary server.</div><div><br></div>my primary has this .jnl file:<div><br></div><div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures:no-common-ligatures">mylocal.jnl</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures:no-common-ligatures"><br></span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures:no-common-ligatures">My secondary has this similar .jnl file:</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures:no-common-ligatures"><br></span></div><p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo"><span style="font-variant-ligatures:no-common-ligatures"></span></p><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures:no-common-ligatures">mylocal.saved.jnl</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures:no-common-ligatures"><br></span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures:no-common-ligatures">which I believe was distributed via zone transfer. You find no such similar files on your secondary?</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures:no-common-ligatures"><br></span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures:no-common-ligatures">If you </span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><br></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;">dig @<some IP> <somehost>.<somedomain>. A +dnssec +multiline</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><br></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;">where <some IP> is the IP of your recursive server and <somehost>.<somedomain>. is something in the domain you are trying to verify the DNSSEC is working.</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><br></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;">Does your flags line look something like this? </div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><br></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;">;; flags: qr rd ra ad;</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><br></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;">Per the manual:</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><br></div><div style="margin: 0px; font-stretch: normal; line-height: normal;"><font face="Menlo"><span style="font-size:11px">The important detail in this output is the presence of the ad flag in the header. This signifies that BIND has retrieved all related DNSSEC information related to the target of the query (<a href="http://ftp.isc.org/" target="_blank">ftp.isc.org</a>) and that the answer received has passed the validation process described in How Are Answers Verified?. We can have confidence in the authenticity and integrity of the answer, that <a href="http://ftp.isc.org/" target="_blank">ftp.isc.org</a> really points to the IP address 149.20.1.49, and that it wa</span></font><span style="font-size:11px;font-family:Menlo">s not a spoofed answer from a clever attacker.</span></div><div style="margin: 0px; font-stretch: normal; line-height: normal;"><font face="Menlo"><span style="font-size:11px"><br></span></font></div><div style="margin: 0px; font-stretch: normal; line-height: normal;"><font face="Menlo"><span style="font-size:11px"><br></span></font></div><a href="https://bind9.readthedocs.io/en/v9_18_9/dnssec-guide.html#using-dig-to-verify" target="_blank">https://bind9.readthedocs.io/en/v9_18_9/dnssec-guide.html#using-dig-to-verify</a><div style="display:block"><br></div><div style="display:block">My “flags” line does not show the “ad” flag as this is just a set of private servers on a local lan. I can’t submit the DNSSEC details upstream as described here:</div><div style="display:block"><br></div><div style="display:block"><a href="https://bind9.readthedocs.io/en/v9_18_9/dnssec-guide.html#uploading-information-to-the-parent-zone" target="_blank">https://bind9.readthedocs.io/en/v9_18_9/dnssec-guide.html#uploading-information-to-the-parent-zone</a><br></div><p style="margin:0px;font-stretch:normal;line-height:normal"><font face="Menlo"><span style="font-size:11px"></span></font></p><div><div><br><blockquote type="cite"><div>On Dec 15, 2022, at 12:05 PM, adrien sipasseuth <<a href="mailto:sipasseuth.adrien@gmail.com" target="_blank">sipasseuth.adrien@gmail.com</a>> wrote:</div><br><div><div dir="ltr"><div>Hi,</div><div><br></div><div>Ok, I got confused, no need for the keys on the slavs actually.<br><br>On the other hand, my slaves should generate the .signed, .signed.jnl and .jbk files of my zones, no? currently it is not my case, should I copy them from the master?<br><br>moreover, when I test a "dig A" I don't have the associated RRSIG when I do my "dig A" on a slave while on the master I do.<br><br></div><div>Regards,</div><div>Adrien<br></div></div><br></div></blockquote></div><br></div></div></div>-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div></div>
-- <br>Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list<br><br>ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.<br><br><br>bind-users mailing list<br>bind-users@lists.isc.org<br>https://lists.isc.org/mailman/listinfo/bind-users<br></div></blockquote></div><br></div></body></html>