<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">The zone is signed using DNSKEY algorithm 5 (RSASHA1), see the RRSIG, which is most probably disabled at the OS level and is also in the process of being deprecated by the IETF as too insecure. The zone is treated as insecure as it is not signed by an algorithm that is deemed to be secure. <br id="lineBreakAtBeginningOfSignature"><div dir="ltr">-- <div>Mark Andrews</div></div><div dir="ltr"><br><blockquote type="cite">On 7 Jun 2025, at 06:40, Luca vom Bruch <luca.es@gmail.com> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><div dir="ltr">Hello! <div><br></div><div>I run a server with Bind9.18 on Alma9. </div><div><br></div><div>It acts as the nameserver for two domains. (with glue records from the registrar).</div><div><br></div><div>DNSSEC is enabled but somehow outbound queries are not validated? Domains with dnssec do have the "ad" flag though. The local domains somehow dont have the ad flag. </div><div><br></div><div>example: </div><div><br></div><div>dig <a href="http://www.dnssec-failed.org">www.dnssec-failed.org</a> +dnssec @localhost<br><br>; <<>> DiG 9.18.29 <<>> <a href="http://www.dnssec-failed.org">www.dnssec-failed.org</a> +dnssec @localhost<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54441<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags: do; udp: 1232<br>; COOKIE: ab33b7cb2be017660100000068434ae5a046bf6060941c68 (good)<br>;; QUESTION SECTION:<br>;<a href="http://www.dnssec-failed.org">www.dnssec-failed.org</a>. IN A<br><br>;; ANSWER SECTION:<br><a href="http://www.dnssec-failed.org">www.dnssec-failed.org</a>. 6086 IN A 68.87.109.242<br><a href="http://www.dnssec-failed.org">www.dnssec-failed.org</a>. 6086 IN A 69.252.193.191<br><a href="http://www.dnssec-failed.org">www.dnssec-failed.org</a>. 6086 IN RRSIG A 5 3 7200 20250621145120 20250604144620 44973 <a href="http://dnssec-failed.org">dnssec-failed.org</a>. 6aHzJob+AUdBOyR9aErfXgtSnfE/gdQhiz1wdoZJD0lLZwhOhcD2OjA0 ct6vQjUWkQtu6SGVhKvvNsWtI6KqFLdBUc3QbnlsO3/tDk3/Powl7gdV CRqnj7Ridxjwyk5xYPurcZA/6dJK48uAFZsR5hlLCxcZN9vplBhlU6jz +9w=</div><div><br></div><div>I believe the answer should be SERVFAIL? </div><div><br></div><div>This is my config, I have tried with "auto" and "yes". </div><div><br></div><div>options {<br> listen-on port 53 {<br> any;<br> };<br> listen-on-v6 port 53 {<br> any;<br> };<br> listen-on port 853 tls local-tls {<br> any;<br> };<br> listen-on-v6 port 853 tls local-tls {<br> any;<br> };<br> directory "/var/named";<br> dump-file "/var/named/data/cache_dump.db";<br> statistics-file "/var/named/data/named_stats.txt";<br> memstatistics-file "/var/named/data/named_mem_stats.txt";<br> secroots-file "/var/named/data/named.secroots";<br> recursing-file "/var/named/data/named.recursing";<br><br> /* <br> - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.<br> - If you are building a RECURSIVE (caching) DNS server, you need to enable <br> recursion. <br> - If your recursive DNS server has a public IP address, you MUST enable access <br> control to limit queries to your legitimate users. Failing to do so will<br> cause your server to become part of large scale DNS amplification <br> attacks. Implementing BCP38 within your network would greatly<br> reduce such attack surface <br> */<br> recursion yes;<br><br> dnssec-validation auto;<br><br> managed-keys-directory "/var/named/dynamic";<br> geoip-directory "/usr/share/GeoIP";<br><br> pid-file "/run/named/named.pid";<br> session-keyfile "/run/named/session.key";<br><br> /* <a href="https://fedoraproject.org/wiki/Changes/CryptoPolicy">https://fedoraproject.org/wiki/Changes/CryptoPolicy</a> */<br> include "/etc/crypto-policies/back-ends/bind.config";<br>};<br><br>logging {<br> channel default_debug {<br> file "data/named.run";<br> severity dynamic;<br> };<br>};<br><br>zone "." IN {<br> type hint;<br> file "<a href="http://named.ca">named.ca</a>";<br>};<br><br>include "/etc/named.rfc1912.zones";<br>include "/etc/named.root.key";<br><br>zone "<a href="http://vom-bruch.com">vom-bruch.com</a>" {<br> type master;<br> file "/var/named/vom-bruch.com.hosts";<br> allow-transfer {<br> 127.0.0.1;<br> localnets;<br> };<br> };<br>zone "<a href="http://eloi.at">eloi.at</a>" {<br> type master;<br> file "/var/named/eloi.at.hosts";<br> allow-transfer {<br> 127.0.0.1;<br> localnets;<br> 213.255.218.23;<br> 2a00:98c7:1000:1300:6e4b:90ff:fe57:e7b1;<br> };<br> };<br>tls local-tls {<br> cert-file "/etc/letsencrypt/live/<a href="http://vom-bruch.com/fullchain.pem">vom-bruch.com/fullchain.pem</a>";<br> key-file "/etc/letsencrypt/live/<a href="http://vom-bruch.com/privkey.pem">vom-bruch.com/privkey.pem</a>";<br> dhparam-file "/var/cache/bind/dhparam.pem";<br> protocols { TLSv1.2; TLSv1.3; };<br> ciphers "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256";<br> prefer-server-ciphers yes;<br> session-tickets no;<br>};<br><br>statistics-channels { inet 127.0.0.1 port 8053 ; };<br></div><div><br></div><div>Any ideas?</div><div><br></div><div>Thanks,</div><div>Luca</div><div><br></div><div><br></div></div>
<span>-- </span><br><span>Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list</span><br><span></span><br><span>ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.</span><br><span></span><br><span></span><br><span>bind-users mailing list</span><br><span>bind-users@lists.isc.org</span><br><span>https://lists.isc.org/mailman/listinfo/bind-users</span><br></div></blockquote></body></html>