I think Mark jumped on something else, your zone is seriously broken and not because of DNSSEC:
https://dnssec-analyzer.verisignlabs.com/newideatest.site All of these NSes must have the correct zone content and not be broken: newideatest.site. 3600 IN NS jupiter.eglifamily.name. newideatest.site. 3600 IN NS uz5qfm8n244kn4qz8mh437w9kzvpudduwyldp5361v9n0vh8sx5ucu.free.ns.buddyns.com. newideatest.site. 3600 IN NS uz5154v9zl2nswf05td8yzgtd0jl6mvvjp98ut07ln0ydp2bqh1skn.free.ns.buddyns.com. newideatest.site. 3600 IN NS uz52u1wtmumlrx5fwu6nmv22ntcddxcjjw41z8sfd6ur9n7797lrv9.free.ns.buddyns.com. newideatest.site. 3600 IN NS uz5w6sb91zt99b73bznfkvtd0j1snxby06gg4hr0p8uum27n0hf6cd.free.ns.buddyns.com. -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 16. 5. 2021, at 8:45, Dan Egli via bind-users <bind-users@lists.isc.org> > wrote: > > Upgrade to WHAT? You said it was fixed in 9.11.25, but isn't that a lot > OLDER than 9.16.15, which is what I'm running? > jupiter ~ # named -v > BIND 9.16.15 (Stable Release) <id:4469e3e> > jupiter ~ # dig -v > DiG 9.16.15 > > >> On 5/16/2021 12:06 AM, Mark Andrews wrote: >> >>>> On 16 May 2021, at 10:17, Dan Egli via bind-users >>>> <bind-users@lists.isc.org> wrote: >>> >>> On 5/10/2021 12:38 PM, Tony Finch wrote: >>>> Dan Egli <d...@newideatest.site> >>>> wrote: >>>> >>>>> Still not working for me. The dig doesn't report anything, and I don't >>>>> HAVE a >>>>> keyfile since i'm using inline signing. Or does inline signing still >>>>> require a >>>>> key to be generated? >>>>> >>>> Yes, you need to do your own key management with inline-signing using >>>> dnssec-keygen. The new dnssec-policy feature can do automatic key >>>> management for you. >>>> >>>> Tony. >>>> >>> So, I updated the settings. Now I have keyfiles generated by bind, as well >>> as a binary .zone.signed in addition to the plain text .zone which has no >>> DNSSEC information at all in it. I ran the signing routine and bind said it >>> was signed good. So I obtained the DS and put in the registrar. Now I am >>> getting SERVFAIL errors whenever I try to query my zone from another name >>> server. Here's what I did: >>> >>> #dig newideatest.site dnskey | dnssec-dsfromkey -2 -f - newideatest.site >>> newideatest.site. IN DS 49236 13 2 <LONG HASH> >>> >>> Ok. Copy the long hash to the Registrar, plug it in. Check, done that. >>> >>> # dig mx newideatest.site @8.8.4.4 >>> >>> ; <<>> DiG 9.16.15 <<>> mx newideatest.site @8.8.4.4 >>> ;; global options: +cmd >>> ;; Got answer: >>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 631 >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 >>> >>> ;; OPT PSEUDOSECTION: >>> ; EDNS: version: 0, flags:; udp: 512 >>> ;; QUESTION SECTION: >>> ;newideatest.site. IN MX >>> >>> ;; Query time: 50 msec >>> ;; SERVER: 8.8.4.4#53(8.8.4.4) >>> ;; WHEN: Sat May 15 18:12:44 MDT 2021 >>> ;; MSG SIZE rcvd: 45 >>> ServFail?! WHAT? >> This is a known bug fixed in BIND 9.11.25. Upgrade. Once the DS is added >> to .site for >> newideatest.site the resolution will work. >> > > -- > Dan Egli > From my Test Server > > <OpenPGP_0x11B7451DF2015959.asc> > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
