>> Could you try this lookup? >> dig +dnssec removed.dnssec.dest-unreach.be > > I see now what you mean. > > Even though I have added your DNSKEY as trusted key, I get SERVFAIL on > the first query and NXDOMAIN on the second, without BIND doing any > additional outgoing queries. This is the same behavior I'm observing.
> One of your name servers returns unsigned NXDOMAIN responses with a > higher serial number than the master server: I didn't configure the zone by the book; I corrected that now, but the results remain the same. > serv02.imset.org returns a signed NXDOMAIN response with serial 2009081781. > > That corresponds to BIND's error message: > > | error (insecurity proof failed) resolving > 'removed.dnssec.dest-unreach.be/A/IN': 213.251.188.140#53 The response is indeed signed, but the signature should *fail* validation, since there is no covering NSEC3 for the looked-up record. Do I understand the error correctly like this: BIND failed to prove the domain to be insecure, hence, the NXDOMAIN response should have a correct signature, hence, the response it got is bogus? >> Could the problem be that the authenticating RR somehow considers this >> domain to be insecure when looking up "removed"? > > That might well be the case, although I would expect BIND not to return > unsigned queries for names below a manually configured trust anchor. I removed DLV-validation and manually added your KSK DNSKEY as a SEP, without change in behavior: removed.fnord.dnstest.hauke-lampe.de keeps returning SERVFAIL (as it should). It seems that my resolver is configured identical for both my and your domain; so it's possibly some difference in the served zone that causes this behaviour. What did you change for the "removed" record? Did you remove only the A and RRSIG? Or also the corresponding NSEC3? In attachement my full (signed) zone-file. It's a test-zone anyway, so I don't think this is a security issue.
dnssec.dest-unreach.be.zone.signed
Description: Binary data
> Maybe others have an idea what's happening here and why BIND returns > NXDOMAIN responses.
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
