Mark, Sorry for top-posting -- my email client makes it difficult to do otherwise.
Yes, I'm absolutely sure there's no software or physical firewall (we're an ISP), and there's also no load-balancer in front of this box. I've also used the EDNS tests and I can get a 4000+ byte response. There's also no forwarder configured. Here's the requested output: root@nagios:/etc/bind# dig @127.0.0.1 +cd ds com; dig @127.0.0.1 +cd dnskey . ; <<>> DiG 9.7.3 <<>> @127.0.0.1 +cd ds com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55498 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;com. IN DS ;; ANSWER SECTION: com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 ;; Query time: 17 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Jun 23 22:17:58 2015 ;; MSG SIZE rcvd: 69 ;; Truncated, retrying in TCP mode. ; <<>> DiG 9.7.3 <<>> @127.0.0.1 +cd dnskey . ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25167 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;. IN DNSKEY ;; ANSWER SECTION: . 32115 IN DNSKEY 256 3 8 AwEAAa67bQck1JjopOOFc+iMISFcp/osWrEst2wbKbuQSUWu77QC9UHL ipiHgWN7JlqVAEjKITZz49hhkLmOpmLK55pTq+RD2kwoyNWk9cvpc+tS nIxT7i93O+3oVeLYjMWrkDAz7K45rObbHDuSBwYZKrcSIUCZnCpNMUtn PFl/04cb . 32115 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= . 32115 IN DNSKEY 256 3 8 AwEAAZyIkCwEYeG29NV+4cOdKE4DPng/4BqJeoOhKqzJbl+LR33TPWsr wBRfmAi9wvR/Qc6IV4MFMXjmkclXns+atIQZ9uQV3YAvKv/cVuO7Mneu MssIQixaMw+jp73R7zIUNMbLBgJRQXI57Rl+pvXBAkgHndVwv+aJkf7y GEuE9Dtj ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Jun 23 22:17:59 2015 ;; MSG SIZE rcvd: 586 Frank -----Original Message----- From: Mark Andrews [mailto:ma...@isc.org] Sent: Tuesday, June 23, 2015 10:11 PM To: Frank Bulk <frnk...@iname.com> Cc: bind-us...@isc.org Subject: Re: DNSSEC validation on 9.7.4 not working In message <003d01d0ae24$682fc080$388f4180$@iname.com>, "Frank Bulk" writes: > I'm running BIND 9.7.3 on Debian and having trouble configuring DNSSEC > validation. > > I'm using the excellent guides at > http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html#easy-start-guide- > for-recursive-servers and > https://www.surf.nl/binaries/content/assets/surf/en/knowledgebase/2012/rappo > rt_Deploying_DNSSEC_v20.pdf and http://dnssec.vs.uni-due.de/ which provide > 9.7.x configuration instructions and so I'm feeling a bit slow that I can't > make this work. > > I'm have a copy of bind.keys from > https://www.isc.org/downloads/bind/bind-keys/ in /etc/bind/ > > This statement in /etc/bind/bind.conf: > > managed-keys { > "." initial-key 257 3 8 > "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF > FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX > bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD > X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz > W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS > Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0="; > }; > > and the following in /etc/bind/bind.conf.options: > > options { > <snip> > dnssec-enable yes; > dnssec-validation yes; > <snip> > } > > But when I issue "rdnc reconifg" I immediately get repeated log lines about > the following and then similar statements for each domains: > > 23-Jun-2015 20:43:47.402 dnssec: info: validating @0x7fcec948ce40: com DS: > no valid signature found > 23-Jun-2015 20:43:47.402 dnssec: info: validating @0x7fcec8c41bf0: com DS: > no valid signature found > 23-Jun-2015 20:43:47.438 dnssec: info: validating @0x7fcec8c39b80: . NS: no > valid signature found > <snip> > 23-Jun-2015 20:43:48.750 dnssec: info: validating @0x7fced04fd9e0: . NS: no > valid signature found > 23-Jun-2015 20:43:48.754 dnssec: info: validating @0x7fcee55996a0: > a1075.dscg.akamai.net AAAA: bad cache hit (net/DS) > 23-Jun-2015 20:43:48.757 dnssec: info: validating @0x7fceca621970: > wwwp.wip.rackspace.com AAAA: bad cache hit (com/DS) > 23-Jun-2015 20:43:48.759 dnssec: info: validating @0x7fceca621970: > a1526.dscg.akamai.net AAAA: bad cache hit (net/DS) > 23-Jun-2015 20:43:48.759 dnssec: info: validating @0x7fced04fd9e0: > a1784.dscg.akamai.net AAAA: bad cache hit (net/DS) > 23-Jun-2015 20:43:48.761 dnssec: info: validating @0x7fced04fd9e0: > e1181.dscb.akamaiedge.net AAAA: bad cache hit (net/DS) > > Of course, once the TLDs aren't considered valid everything goes south. > > What am I doing wrong? > > Regards, > > Frank Bulk Are you sure that there isn't a firewall that is block RRSIGs getting through or that you aren't using a forwarder that isn't also validating. These sorts of messages come when named is forced back to plain DNS to get a response. What do "dig +cd ds com" and "dig +cd dnskey ." return. Mark > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
