Hello,
I have DNSSEC validation running on a caching name server which is working
fine. In addition, I have tried to add an entry in the named.conf to forward
lookups for a local Active Directory domain name used for testing purposes so
we can easily resolve the handful of servers in this domain. This isn't working
as I had expected. In digging into the problem, I found that DNSSEC is
positively validating the NXDOMAIN response based on the signed NSEC record
from the root servers for the lack of "internal" which obviously makes the
resolution fail since NXDOMAIN is the valid answer... done, end of story. I
thought the forwarder type would bypass this but apparently I am wrong. Is
there some other way to handle this for non-existent domains just for testing
purposes?
Relevant named.conf config:
zone "policydomain.internal" {
type forward;
forward only;
forwarders { 192.168.50.10; };
};
DNSSEC debug output:
21-Oct-2011 15:32:10.435 dnssec: debug 3: validating @0x802cec700:
policydomain.internal A: starting
21-Oct-2011 15:32:10.435 dnssec: debug 3: validating @0x802cec700:
policydomain.internal A: attempting insecurity proof
21-Oct-2011 15:32:10.435 dnssec: debug 3: validating @0x802cec700:
policydomain.internal A: checking existence of DS at 'internal'
21-Oct-2011 15:32:10.437 dnssec: debug 3: validating @0x802cec700:
policydomain.internal A: in dsfetched2: ncache nxdomain
21-Oct-2011 15:32:10.437 dnssec: debug 3: validating @0x802cec700:
policydomain.internal A: resuming proveunsecure
21-Oct-2011 15:32:10.437 dnssec: debug 3: validating @0x802cec700:
policydomain.internal A: checking existence of DS at 'policydomain.internal'
21-Oct-2011 15:32:10.438 dnssec: debug 3: validating @0x802e06b00:
policydomain.internal DS: starting
21-Oct-2011 15:32:10.438 dnssec: debug 3: validating @0x802e06b00:
policydomain.internal DS: attempting negative response validation
21-Oct-2011 15:32:10.438 dnssec: debug 3: validating @0x802e06b00:
policydomain.internal DS: in authvalidated
21-Oct-2011 15:32:10.438 dnssec: debug 3: validating @0x802e06b00:
policydomain.internal DS: resuming nsecvalidate
21-Oct-2011 15:32:10.439 dnssec: debug 3: validating @0x802e06b00:
policydomain.internal DS: in authvalidated
21-Oct-2011 15:32:10.439 dnssec: debug 3: validating @0x802e06b00:
policydomain.internal DS: looking for relevant nsec
21-Oct-2011 15:32:10.439 dnssec: debug 3: validating @0x802e06b00:
policydomain.internal DS: ignoring nsec because name is past end of range
21-Oct-2011 15:32:10.439 dnssec: debug 3: validating @0x802e06b00:
policydomain.internal DS: resuming nsecvalidate
21-Oct-2011 15:32:10.439 dnssec: debug 3: validating @0x802e06b00:
policydomain.internal DS: in authvalidated
21-Oct-2011 15:32:10.439 dnssec: debug 3: validating @0x802e06b00:
policydomain.internal DS: looking for relevant nsec
21-Oct-2011 15:32:10.439 dnssec: debug 3: validating @0x802e06b00:
policydomain.internal DS: nsec range ok
21-Oct-2011 15:32:10.439 dnssec: debug 3: validating @0x802e06b00:
policydomain.internal DS: resuming nsecvalidate
21-Oct-2011 15:32:10.439 dnssec: debug 3: validating @0x802e06b00:
policydomain.internal DS: in checkwildcard: *
21-Oct-2011 15:32:10.439 dnssec: debug 3: validating @0x802e06b00:
policydomain.internal DS: looking for relevant nsec
21-Oct-2011 15:32:10.439 dnssec: debug 3: validating @0x802e06b00:
policydomain.internal DS: nsec range ok
21-Oct-2011 15:32:10.439 dnssec: debug 3: validating @0x802e06b00:
policydomain.internal DS: nonexistence proof(s) found
21-Oct-2011 15:32:10.439 dnssec: debug 3: validating @0x802cec700:
policydomain.internal A: in dsfetched2: ncache nxdomain
21-Oct-2011 15:32:10.439 dnssec: debug 3: validating @0x802cec700:
policydomain.internal A: resuming proveunsecure
21-Oct-2011 15:32:10.439 dnssec: debug 3: validating @0x802cec700:
policydomain.internal A: insecurity proof failed
Thanks!
-Vinny
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
