Sorry, miss read your version 11 vs 16. That said it is hard to work out what is going wrong when you keep changing things and don’t actually have nameservers that are responding. You had servers that where giving DNSSEC responses, then ones that are returning unsigned responses and now ones that are not answering.
> On 16 May 2021, at 16:44, Dan Egli <d...@newideatest.site> wrote: > > Upgrade to WHAT? You said it was fixed in 9.11.25, but isn't that a lot OLDER > than 9.16.15, which is what I'm running? > jupiter ~ # named -v > BIND 9.16.15 (Stable Release) <id:4469e3e> > jupiter ~ # dig -v > DiG 9.16.15 > > > On 5/16/2021 12:06 AM, Mark Andrews wrote: >> >>> On 16 May 2021, at 10:17, Dan Egli via bind-users >>> <bind-users@lists.isc.org> wrote: >>> >>> On 5/10/2021 12:38 PM, Tony Finch wrote: >>>> Dan Egli <d...@newideatest.site> >>>> wrote: >>>> >>>>> Still not working for me. The dig doesn't report anything, and I don't >>>>> HAVE a >>>>> keyfile since i'm using inline signing. Or does inline signing still >>>>> require a >>>>> key to be generated? >>>>> >>>> Yes, you need to do your own key management with inline-signing using >>>> dnssec-keygen. The new dnssec-policy feature can do automatic key >>>> management for you. >>>> >>>> Tony. >>>> >>> So, I updated the settings. Now I have keyfiles generated by bind, as well >>> as a binary .zone.signed in addition to the plain text .zone which has no >>> DNSSEC information at all in it. I ran the signing routine and bind said it >>> was signed good. So I obtained the DS and put in the registrar. Now I am >>> getting SERVFAIL errors whenever I try to query my zone from another name >>> server. Here's what I did: >>> >>> #dig newideatest.site dnskey | dnssec-dsfromkey -2 -f - newideatest.site >>> newideatest.site. IN DS 49236 13 2 <LONG HASH> >>> >>> Ok. Copy the long hash to the Registrar, plug it in. Check, done that. >>> >>> # dig mx newideatest.site @8.8.4.4 >>> >>> ; <<>> DiG 9.16.15 <<>> mx newideatest.site @8.8.4.4 >>> ;; global options: +cmd >>> ;; Got answer: >>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 631 >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 >>> >>> ;; OPT PSEUDOSECTION: >>> ; EDNS: version: 0, flags:; udp: 512 >>> ;; QUESTION SECTION: >>> ;newideatest.site. IN MX >>> >>> ;; Query time: 50 msec >>> ;; SERVER: 8.8.4.4#53(8.8.4.4) >>> ;; WHEN: Sat May 15 18:12:44 MDT 2021 >>> ;; MSG SIZE rcvd: 45 >>> ServFail?! WHAT? >> This is a known bug fixed in BIND 9.11.25. Upgrade. Once the DS is added >> to .site for >> newideatest.site the resolution will work. >> > > -- > Dan Egli > From my Test Server > > <OpenPGP_0x11B7451DF2015959.asc> -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
