I'm running BIND 9.7.3 on Debian and having trouble configuring DNSSEC validation.
I'm using the excellent guides at http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html#easy-start-guide- for-recursive-servers and https://www.surf.nl/binaries/content/assets/surf/en/knowledgebase/2012/rappo rt_Deploying_DNSSEC_v20.pdf and http://dnssec.vs.uni-due.de/ which provide 9.7.x configuration instructions and so I'm feeling a bit slow that I can't make this work. I'm have a copy of bind.keys from https://www.isc.org/downloads/bind/bind-keys/ in /etc/bind/ This statement in /etc/bind/bind.conf: managed-keys { "." initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0="; }; and the following in /etc/bind/bind.conf.options: options { <snip> dnssec-enable yes; dnssec-validation yes; <snip> } But when I issue "rdnc reconifg" I immediately get repeated log lines about the following and then similar statements for each domains: 23-Jun-2015 20:43:47.402 dnssec: info: validating @0x7fcec948ce40: com DS: no valid signature found 23-Jun-2015 20:43:47.402 dnssec: info: validating @0x7fcec8c41bf0: com DS: no valid signature found 23-Jun-2015 20:43:47.438 dnssec: info: validating @0x7fcec8c39b80: . NS: no valid signature found <snip> 23-Jun-2015 20:43:48.750 dnssec: info: validating @0x7fced04fd9e0: . NS: no valid signature found 23-Jun-2015 20:43:48.754 dnssec: info: validating @0x7fcee55996a0: a1075.dscg.akamai.net AAAA: bad cache hit (net/DS) 23-Jun-2015 20:43:48.757 dnssec: info: validating @0x7fceca621970: wwwp.wip.rackspace.com AAAA: bad cache hit (com/DS) 23-Jun-2015 20:43:48.759 dnssec: info: validating @0x7fceca621970: a1526.dscg.akamai.net AAAA: bad cache hit (net/DS) 23-Jun-2015 20:43:48.759 dnssec: info: validating @0x7fced04fd9e0: a1784.dscg.akamai.net AAAA: bad cache hit (net/DS) 23-Jun-2015 20:43:48.761 dnssec: info: validating @0x7fced04fd9e0: e1181.dscb.akamaiedge.net AAAA: bad cache hit (net/DS) Of course, once the TLDs aren't considered valid everything goes south. What am I doing wrong? Regards, Frank Bulk _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
