On Sun, Aug 31, 2014 at 11:35:40AM +0200, Patrick Ben Koetter wrote:
> p@x240:~$ dig SOA +dnssec sys4.de
>
> ; <<>> DiG 9.9.5-3-Ubuntu <<>> SOA +dnssec sys4.de
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61650
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 3
>
> ^^
>
> If you don't see it, you resolver cannot authenticated DNSSEC enabled domains.
> Then you need to change that.
I see this:
# dig SOA +dnssec sys4.de
; <<>> DiG 9.9.5-3-Ubuntu <<>> SOA +dnssec sys4.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22031
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1
As resolver I have Bind:
# cat /etc/resolv.conf
nameserver 10.0.3.1
And on 10.0.3.1 I have this:
forwarders {
213.133.98.98;
213.133.99.99;
213.133.100.100;
};
//========================================================================
// If BIND logs error messages about the root key being
expired,
// you will need to update your keys. See
https://www.isc.org/bind-keys
//========================================================================
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;
Is it possible that forwarders has more priority than the DNSSEC
options of bind?
--
Best regards,
Peter Bauer
Linux & UNIX developper
