On Wed, Feb 01, 2012 at 11:51:55PM +0000, Spain, Dr. Jeffry A. wrote: > > Any suggestions, folks? What am I not understanding? > > Michael: To determine why there is no DNSSEC information being returned by > your dig query, consider the following: > > What are the timestamps in your key metadata? Are they currently published > and active? > nstest/etc/namedb/keys;dnssec-settime -p all > Ktransnetworks.net.+005+54607.private > > What are the file modes and ownership of your keys? Can named running under > whatever UID it is using read the keys? > > What are the full contents of your unsigned and signed zone files? Any clues > there? > nstest/etc/namedb/keys;named-checkzone -j -o - transnetworks.net > transnetworks.net > nstest/etc/namedb/keys;named-checkzone -j -f raw -o - transnetworks.net > transnetworks.net.signed > > Are there syslog messages that indicate any problems signing your zone? > nstest/etc/namedb/keys;cat /var/log/syslog | grep named > > Ultimately with dnssec-dsfromkey, you may wish to leave out "-2" and generate > both SHA-1 and SHA-256 digests. Depending on your registrar, they may accept > one, the other, or both. The DS record submission is usually done on your > registrar's web site. > > With dnssec-keygen, I used "-b 2048". I don't think there is a compelling > argument for using a shorter key. > > Note that dig +dnssec queries targeted at your authoritative server will > ultimately return DNSSEC records but will never return an AD flag. Eventually > you will want to see the AD flag to know that all is well with the chain of > trust though "net." up to the DNS root zone, and for this you will need a > DNSSEC-enabled recursive resolver. You can use DNS-OARC's open validating > resolver to test: https://www.dns-oarc.net/oarc/services/odvr. You can fairly > easily set up another bind server as a recursive resolver for your own use as > well. Two other good tests for your DNSSEC-enabled zones are at > http://dnsviz.net/ and http://dnssec-debugger.verisignlabs.com/. > > Jeffry A. Spain > Network Administrator > Cincinnati Country Day School >
Thanks for your advice! This gave me everything I needed. After intermittent experiments for the last several years, I now have DNSSEC on my test domain. Will write this up for the next newbie. Thanks again, ==ml -- Michael W. Lucas http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ Latest book: SSH Mastery http://www.michaelwlucas.com/nonfiction/ssh-mastery mwlu...@blackhelicopters.org, Twitter @mwlauthor _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
