Issue with DNSSEC (BIND 9.10.3-P4-Raspbian )

Fri, 29 Sep 2017 17:09:08 -0700 

Hello,

I'm trying to turn my local DNS-Server into a DNSSREC validating Name-
Server.

The bind.keys file is available and I set dnssec-validation and dnssex-
lookaside to auto.

But every time I try to resolve a Name (denic.de for example) I get a
SERVFAIL with dig. Turning the above options off and usiung dif with
+dnssec option I can see RRSIG for the Domain and for the root server.

The log tells me the Following: (snipped)
30-Sep-2017 01:26:50.508 dnssec: validating www.denic.de/A: starting
30-Sep-2017 01:26:50.508 dnssec: validating www.denic.de/A: attempting
positive response validation
30-Sep-2017 01:26:50.508 dnssec: validating www.denic.de/A: get_key:
creating fetch for denic.de DNSKEY
30-Sep-2017 01:26:50.530 dnssec: validating denic.de/DNSKEY: starting
30-Sep-2017 01:26:50.530 dnssec: validating denic.de/DNSKEY: attempting
positive response validation
30-Sep-2017 01:26:50.531 dnssec: validating denic.de/DNSKEY:
validatezonekey: creating fetch for denic.de DS
30-Sep-2017 01:26:50.534 dnssec: validating ./NS: starting
30-Sep-2017 01:26:50.534 dnssec: validating ./NS: attempting insecurity
proof
30-Sep-2017 01:26:50.534 dnssec: validating ./NS: insecurity proof
failed
30-Sep-2017 01:26:50.534 dnssec: validating ./NS: got insecure
response; parent indicates it should be secure
30-Sep-2017 01:26:50.534 dnssec: validator @0x7164ea70:
dns_validator_destroy
30-Sep-2017 01:26:50.552 dnssec: validating denic.de/DS: starting
30-Sep-2017 01:26:50.552 dnssec: validating denic.de/DS: attempting
positive response validation
30-Sep-2017 01:26:50.552 dnssec: validating denic.de/DS: get_key:
creating fetch for de DNSKEY
30-Sep-2017 01:26:50.577 dnssec: validating ./NS: starting
30-Sep-2017 01:26:50.577 dnssec: validating ./NS: attempting insecurity
proof
30-Sep-2017 01:26:50.578 dnssec: validating ./NS: insecurity proof
failed
30-Sep-2017 01:26:50.578 dnssec: validating ./NS: got insecure
response; parent indicates it should be secure
30-Sep-2017 01:26:50.578 dnssec: validator @0x70623a00:
dns_validator_destroy
30-Sep-2017 01:26:50.595 dnssec: validating de/DNSKEY: starting
30-Sep-2017 01:26:50.595 dnssec: validating de/DNSKEY: attempting
insecurity proof
30-Sep-2017 01:26:50.595 dnssec: validating de/DNSKEY: checking
existence of DS at 'de'
30-Sep-2017 01:26:50.595 dnssec: validating de/DNSKEY: proveunsecure:
creating fetch for de DS
30-Sep-2017 01:26:50.614 dnssec: validating de/DS: starting
30-Sep-2017 01:26:50.614 dnssec: validating de/DS: attempting positive
response validation
30-Sep-2017 01:26:50.614 dnssec: validating de/DS: keyset with trust
secure
30-Sep-2017 01:26:50.615 dnssec: validating de/DS: verify rdataset
(keyid=15768): success
30-Sep-2017 01:26:50.615 dnssec: validating de/DS: marking as secure,
noqname proof not needed
30-Sep-2017 01:26:50.615 dnssec: validator @0x70623a00:
dns_validator_destroy
30-Sep-2017 01:26:50.615 dnssec: validating de/DNSKEY: in dsfetched2:
success
30-Sep-2017 01:26:50.616 dnssec: validating de/DNSKEY: resuming
proveunsecure
30-Sep-2017 01:26:50.616 dnssec: validating de/DNSKEY: insecurity proof
failed
30-Sep-2017 01:26:50.616 dnssec: validator @0x70410b18:
dns_validator_destroy
30-Sep-2017 01:26:50.654 dnssec: validating de/DNSKEY: starting
30-Sep-2017 01:26:50.654 dnssec: validating de/DNSKEY: attempting
insecurity proof
30-Sep-2017 01:26:50.654 dnssec: validating de/DNSKEY: checking
existence of DS at 'de'
30-Sep-2017 01:26:50.654 dnssec: validating de/DNSKEY: insecurity proof
failed
30-Sep-2017 01:26:50.654 dnssec: validating de/DNSKEY: got insecure
response; parent indicates it should be secure
30-Sep-2017 01:26:50.654 dnssec: validator @0x70505c00:
dns_validator_destroy
30-Sep-2017 01:26:50.751 dnssec: validating denic.de/DS: in
fetch_callback_validator
30-Sep-2017 01:26:50.751 dnssec: validating denic.de/DS:
fetch_callback_validator: got SERVFAIL
30-Sep-2017 01:26:50.751 dnssec: validator @0x706280c8:
dns_validator_destroy
30-Sep-2017 01:26:50.751 dnssec: validating denic.de/DNSKEY: in
dsfetched
30-Sep-2017 01:26:50.751 dnssec: validating denic.de/DNSKEY: dsfetched:
got broken trust chain
30-Sep-2017 01:26:50.751 dnssec: validator @0x7164da58:
dns_validator_destroy
30-Sep-2017 01:26:50.752 dnssec: validating www.denic.de/A: in
fetch_callback_validator
30-Sep-2017 01:26:50.752 dnssec: validating www.denic.de/A:
fetch_callback_validator: got broken trust chain
30-Sep-2017 01:26:50.752 dnssec: validator @0x70504180:
dns_validator_destroy
30-Sep-2017 01:26:50.654 dnssec: validator @0x70505c00:
dns_validator_destroy
30-Sep-2017 01:26:50.751 dnssec: validating denic.de/DS: in
fetch_callback_validator
30-Sep-2017 01:26:50.751 dnssec: validating denic.de/DS:
fetch_callback_validator: got SERVFAIL
30-Sep-2017 01:26:50.751 dnssec: validator @0x706280c8:
dns_validator_destroy
30-Sep-2017 01:26:50.751 dnssec: validating denic.de/DNSKEY: in
dsfetched
30-Sep-2017 01:26:50.751 dnssec: validating denic.de/DNSKEY: dsfetched:
got broken trust chain
30-Sep-2017 01:26:50.751 dnssec: validator @0x7164da58:
dns_validator_destroy
30-Sep-2017 01:26:50.752 dnssec: validating www.denic.de/A: in
fetch_callback_validator
30-Sep-2017 01:26:50.752 dnssec: validating www.denic.de/A:
fetch_callback_validator: got broken trust chain
30-Sep-2017 01:26:50.752 dnssec: validator @0x70504180:
dns_validator_destroy

The bind.keys file is correct.

Does somebody have a clue?

Thanks,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to