On 1/26/19 2:30 PM, @lbutlr wrote:
> On 26 Jan 2019, at 12:20, @lbutlr <krem...@kreme.com> wrote:
>> I then removed "auto-dnssec maintain" and "inline-signing yes" from the zone
>> record in name.conf and now everything is behaving as expected when I query
>> localhost for the DNSSEC info.
>
> I should have said, I have update-policy local; in the zone record, but if I
> add "inline-signing yes;" and/or "auto-dnssec allow;" then the query fails.
I have the following snippet in my named.conf and it works great:
zone "boat" {
type master;
file "zone/boat";
update-policy local;
auto-dnssec maintain;
notify no;
};
This is a "fake TLD" for "boat" that I maintain locally (on my boat).
It is DNSSEC signed, updates signatures automatically (as needed) and is
able to be updated locally (nsupdate -l).
I created the keys using something along the lines of:
root@svlg-gateway:~# dnssec-keygen -a rsasha256 boat
Generating key pair...........+++++ ......+++++
Kboat.+008+41586
root@svlg-gateway:~# dnssec-keygen -f k -a rsasha256 boat
Generating key
pair........................................................+++++
.............................................+++++
then, making sure that the keys were in the directory specified by
key-directory option, I did an "rndc loadkeys".
With the appropriate trust anchors in place, data in the zone validates.
Does this help at all? If not, can you be a bit more detailed in the
problem you are trying to solve?
AlanC
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
