Upgrade to WHAT? You said it was fixed in 9.11.25, but isn't that a lot OLDER than 9.16.15, which is what I'm running?
jupiter ~ # named -v
BIND 9.16.15 (Stable Release) <id:4469e3e>
jupiter ~ # dig -v
DiG 9.16.15


On 5/16/2021 12:06 AM, Mark Andrews wrote:

On 16 May 2021, at 10:17, Dan Egli via bind-users <bind-users@lists.isc.org> 
wrote:

On 5/10/2021 12:38 PM, Tony Finch wrote:
Dan Egli <d...@newideatest.site>
  wrote:

Still not working for me. The dig doesn't report anything, and I don't HAVE a
keyfile since i'm using inline signing. Or does inline signing still require a
key to be generated?

Yes, you need to do your own key management with inline-signing using
dnssec-keygen. The new dnssec-policy feature can do automatic key
management for you.

Tony.

So, I updated the settings. Now I have keyfiles generated by bind, as well as a 
binary .zone.signed in addition to the plain text .zone which has no DNSSEC 
information at all in it. I ran the signing routine and bind said it was signed 
good. So I obtained the DS and put in the registrar. Now I am getting SERVFAIL 
errors whenever I try to query my zone from another name server. Here's what I 
did:

#dig newideatest.site dnskey | dnssec-dsfromkey -2 -f - newideatest.site
newideatest.site. IN DS 49236 13 2 <LONG HASH>

Ok. Copy the long hash to the Registrar, plug it in. Check, done that.

  # dig mx newideatest.site @8.8.4.4

; <<>> DiG 9.16.15 <<>> mx newideatest.site @8.8.4.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 631
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;newideatest.site.              IN      MX

;; Query time: 50 msec
;; SERVER: 8.8.4.4#53(8.8.4.4)
;; WHEN: Sat May 15 18:12:44 MDT 2021
;; MSG SIZE  rcvd: 45
ServFail?! WHAT?
This is a known bug fixed in BIND 9.11.25.  Upgrade.  Once the DS is added to 
.site for
newideatest.site the resolution will work.

--
Dan Egli
From my Test Server

Attachment: OpenPGP_0x11B7451DF2015959.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to