jupiter ~ # named -v BIND 9.16.15 (Stable Release) <id:4469e3e> jupiter ~ # dig -v DiG 9.16.15
On 5/16/2021 12:06 AM, Mark Andrews wrote:
On 16 May 2021, at 10:17, Dan Egli via bind-users <bind-users@lists.isc.org> wrote: On 5/10/2021 12:38 PM, Tony Finch wrote:Dan Egli <d...@newideatest.site> wrote:Still not working for me. The dig doesn't report anything, and I don't HAVE a keyfile since i'm using inline signing. Or does inline signing still require a key to be generated?Yes, you need to do your own key management with inline-signing using dnssec-keygen. The new dnssec-policy feature can do automatic key management for you. Tony.So, I updated the settings. Now I have keyfiles generated by bind, as well as a binary .zone.signed in addition to the plain text .zone which has no DNSSEC information at all in it. I ran the signing routine and bind said it was signed good. So I obtained the DS and put in the registrar. Now I am getting SERVFAIL errors whenever I try to query my zone from another name server. Here's what I did: #dig newideatest.site dnskey | dnssec-dsfromkey -2 -f - newideatest.site newideatest.site. IN DS 49236 13 2 <LONG HASH> Ok. Copy the long hash to the Registrar, plug it in. Check, done that. # dig mx newideatest.site @8.8.4.4 ; <<>> DiG 9.16.15 <<>> mx newideatest.site @8.8.4.4 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 631 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;newideatest.site. IN MX ;; Query time: 50 msec ;; SERVER: 8.8.4.4#53(8.8.4.4) ;; WHEN: Sat May 15 18:12:44 MDT 2021 ;; MSG SIZE rcvd: 45 ServFail?! WHAT?This is a known bug fixed in BIND 9.11.25. Upgrade. Once the DS is added to .site for newideatest.site the resolution will work.
-- Dan Egli From my Test Server
OpenPGP_0x11B7451DF2015959.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users