Re: DNSSEC Validation not working

Hi Luca, This is correct: dnssec-validation auto; If you use "yes" there, then you must supply a trust anchor. Auto is the default. The only idea I have is this: zone "." IN { type hint; file "named.ca"; }; You don't need this anymore. BIND 9.18 will automatically find the root zones starting

RE: dnssec-validation?

are (again) my named.conf on the primary and secondary server to find why dnssec-validation needs to be off on the primary. Thanks! David -Original Message- From: Mark Andrews Sent: 14 April 2023 02:35 To: David Carvalho Cc: Evan Hunt ; bind-users@lists.isc.org Subject: Re: dnssec-

Re: dnssec-validation?

> On 13 Apr 2023, at 19:23, David Carvalho via bind-users > wrote: > > Hello and thank you for the reply. > My domain is "di.ubi.pt". The parent domain "ubi.pt" recently configured > DNSSEC (BIND 9.11) so it was time again for me to try to set it up for my > domain. > > A few months ago I upd

RE: dnssec-validation?

me I reconfigure and reload, I would stick with this version. Regards David -Original Message- From: Evan Hunt Sent: 13 April 2023 18:08 To: David Carvalho Cc: bind-users@lists.isc.org Subject: Re: dnssec-validation? On Thu, Apr 13, 2023 at 11:38:15AM +0100, David Carvalho wrote: > P

Re: dnssec-validation?

On Thu, Apr 13, 2023 at 11:38:15AM +0100, David Carvalho wrote: > Problem number 1: Dnssec seems to be running on "di.ubi.pt", but > dnssec-validation still needs to be set to no; Will this cause troubles? > Dns2 is set to auto and runs fine. >From here, di.ubt.pt appears to be properly signed and

RE: dnssec-validation?

rt? Kind regards, David Carvalho -Original Message- From: Evan Hunt Sent: 12 April 2023 18:08 To: David Carvalho Cc: bind-users@lists.isc.org Subject: Re: dnssec-validation? On Wed, Apr 12, 2023 at 05:41:33PM +0100, David Carvalho via bind-users wrote: > After reverting my primary dns

RE: dnssec-validation?

Hello and thank you for the reply. My domain is "di.ubi.pt". The parent domain "ubi.pt" recently configured DNSSEC (BIND 9.11) so it was time again for me to try to set it up for my domain. A few months ago I updated both dns servers to Oracle Linux 8, running BIND 9.16.23 to prepare for this. The

Re: dnssec-validation?

On Wed, Apr 12, 2023 at 05:41:33PM +0100, David Carvalho via bind-users wrote: > After reverting my primary dns configuration, and asking my provider to > remove the DNSKEY, I had to include dnssec-validation no; otherwise it would > keep answering with SERVFAIL > > I noticed the server was consta

Re: DNSSEC validation via AD bit?

On 31. 01. 22 11:50, Tony Finch wrote: 2. Should sendmail not be trusting the AD bit in replies from the admin configured (i.e., trusted by admin) resolvers? It's dangerous territory. Sendmail isn't alone: for example, OpenSSH also relies on the AD bit to validate SSHFP records. But using AD is

Re: DNSSEC validation via AD bit?

Gregory Shapiro via bind-users wrote: > > Two questions: Slightly expanding on Mark's answers... > 1. Is there a reason when BIND is running as both a recursive server and > an authoritative server for a domain, it doesn't set the AD bit when > answering resolver queries for one of its authorita

Re: DNSSEC validation via AD bit?

> On 31 Jan 2022, at 10:45, Gregory Shapiro via bind-users > wrote: > > sendmail's implementation of DANE determines whether DNSSEC validation was > successful based on the presence of the AD bit in the response to the DANE > record lookup. > > An equivalent dig lookup would be: > >%

Re: Dnssec-validation auto

Petr Menšík mailto:petr%20%3d%3futf-8%3fq%3fmen%3dc5%3da1%3dc3%3dadk%3f%3d%20%3cpemen...@redhat.com%3e>> To: Ismael Suarez mailto:ismael%20suarez%20%3cismael_sua...@coqui.com%3e>>, bind-users@lists.isc.org mailto:%22bind-us...@lists.isc.org%22%20%3cbind-us...@lists.isc.org%3e>&g

Re: Dnssec-validation auto

> -- > > Ismael Suárez Maldonado | UNIX ADM | Coqui.Net Corp / ClaroTV > ismael_sua...@coqui.com<mailto:ismael_sua...@coqui.com> | T: 787-793-0001 x > 4007 > > -Original Message- > From: Petr Menšík > mailto:petr%20%3d%3futf-8%3fq%3fmen%3dc5%3da1%3dc3%

Re: Dnssec-validation auto

lto:petr%20%3d%3futf-8%3fq%3fmen%3dc5%3da1%3dc3%3dadk%3f%3d%20%3cpemen...@redhat.com%3e>> To: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> Subject: Re: Dnssec-validation auto Date: Fri, 13 Nov 2020 11:26:17 +0100 Hi Ismael, easiest way to check validation is using delv t

Re: Dnssec-validation auto

Hi Ismael, easiest way to check validation is using delv tool from BIND 9.11+. It uses the same algorithm as BIND server does. If you get SERVFAIL from your recursive server, try adding +cd parameter to delv or dig. When it works with +cd, validation is responsible somewhere in recursive servers c

Re: DNSSEC validation via DLV

via bind-users Sent: Thursday, 18 July 2019 10:22 PM To: m...@posix.co.za; bind-users@lists.isc.org Subject: Re: DNSSEC validation via DLV Not a difficult process really.. -Configure a DNSSEC enabled name server -Create a some zone keys (dnssec-keygen) -Sign your zone (dnssec-signzone) -Update

Re: DNSSEC validation via DLV

On 19/07/2019 9:27 am, p...@vspace.co.za wrote: > > Problem being, no options exist as to export the DS record of co.za, com.au > or net.au domains to the respective registrars, being namecheap.com and > axxess.co.za. > Change registry right ? Crazy domains supports them for the ".com.au"

RE: DNSSEC validation via DLV

does accept the DS records for .com domains, yet not for .au domains. -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mal via bind-users Sent: Thursday, 18 July 2019 10:22 PM To: m...@posix.co.za; bind-users@lists.isc.org Subject: Re: DNSSEC

Re: DNSSEC validation via DLV

Not a difficult process really.. -Configure a DNSSEC enabled name server -Create a some zone keys (dnssec-keygen) -Sign your zone (dnssec-signzone) -Update your nameserver configuration to point to the signed zone file -Export your DS records (dsset) to the domain registration company (EPP). Con

Re: DNSSEC validation via DLV

I  can't comment on com.au (but looking up the Nameservers, I see the AD bit set - so DNSSEC appears to be in use.. However, co.za (and net.oza, org.za & web.za) which are managed by the ZACR (and DNS) - they are all signed and I personally have domains under these second levels - all running

Re: dnssec-validation auto vs yes

On Wed, Jun 12, 2019 at 8:25 PM Evan Hunt wrote: > > On Wed, Jun 12, 2019 at 11:40:27PM +, Shawn Zhou via bind-users wrote: > > The default BIND9 installation for CentOS7 has dnssec-validation set to > > "yes" and it also includes managed-keys as well. Do those managed-keys > > get updated aut

Re: dnssec-validation auto vs yes

Shawn Zhou via bind-users wrote: > Thanks Even. Sounds like "dnssec-validation auto" is a more > future-proof option for what want it. I will use that instead. My recommendation is to avoid configuring or installing root trust anchors, and let named handle all that itself. In BIND 9.14 and lat

Re: dnssec-validation auto vs yes

Thanks Even. Sounds like "dnssec-validation auto" is a more future-proof option for what want it. I will use that instead. On Wednesday, June 12, 2019, 5:25:51 PM PDT, Evan Hunt wrote: On Wed, Jun 12, 2019 at 11:40:27PM +, Shawn Zhou via bind-users wrote: > The default BIND9 inst

Re: dnssec-validation auto vs yes

On Wed, Jun 12, 2019 at 11:40:27PM +, Shawn Zhou via bind-users wrote: > The default BIND9 installation for CentOS7 has dnssec-validation set to > "yes" and it also includes managed-keys as well. Do those managed-keys > get updated automatically? Yes, if the "managed-keys" statement is in name

Re: DNSSEC validation

Thanks Evan for answering my questions. I will look more into getdns-api or libunbund library for the client side resolve. Rgds Simon On Tue, Feb 13, 2018 at 3:00 PM, Evan Hunt wrote: > On Tue, Feb 13, 2018 at 01:33:10PM -0800, SIMON BABY wrote: > > 1. Assume if I use an external recursive reso

Re: DNSSEC validation

On Tue, Feb 13, 2018 at 01:33:10PM -0800, SIMON BABY wrote: > 1. Assume if I use an external recursive resolver and if that resolver does > not support DNSSEC, how can I validate the signature? Depends what you mean by supporting DNSSEC; see below. > 2. If I use an external resolver and if a hack

Re: DNSSEC validation

Thanks Warren. I will look into https://getdnsapi.net/ . Rgds simon On Tue, Feb 13, 2018 at 2:07 PM, Warren Kumari wrote: > On Tue, Feb 13, 2018 at 3:42 PM, SIMON BABY wrote: > > Hello Evan, > > > > Thank you so much for the quick response. > > > > My requirement is to implement only the rec

Re: DNSSEC validation

On Tue, Feb 13, 2018 at 3:42 PM, SIMON BABY wrote: > Hello Evan, > > Thank you so much for the quick response. > > My requirement is to implement only the recursive resolve and validation > part of the DNSSEC in my client application. Our CPU and memory are very > limited. So I am not sure I can g

Re: DNSSEC validation

Hello Evan, Thanks you so much for answering my questions. Inline my comments. But why do you need your application to contain a recursive resolver? 1. Assume if I use an external recursive resolver and if that resolver does not support DNSSEC, how can I validate the signature? 2. If I use an e

Re: DNSSEC validation

On Tue, Feb 13, 2018 at 12:42:26PM -0800, SIMON BABY wrote: > My requirement is to implement only the recursive resolve and validation > part of the DNSSEC in my client application. Our CPU and memory are very > limited. So I am not sure I can go and use BIND 9. But why do you need your applicatio

Re: DNSSEC validation

Hello Evan, Thank you so much for the quick response. My requirement is to implement only the recursive resolve and validation part of the DNSSEC in my client application. Our CPU and memory are very limited. So I am not sure I can go and use BIND 9. With BIND 9, can I integrate the library in m

Re: DNSSEC validation

On Tue, Feb 13, 2018 at 12:08:18PM -0800, SIMON BABY wrote: > I am trying to implement the full recursive resolver with libbind library > in my client code. I am not using resolv.conf in my implementation. Can > anyone please help to point any sample code for this. Not even BIND uses libbind anymo

Re: DNSSEC validation without current time

On 2017-12-18 06:44, Timothe Litt wrote: On 18-Dec-17 01:07, Dave Warren wrote: On 2017-12-15 06:23, Petr Menšík wrote: Dne 15.12.2017 v 13:06 G.W. Haywood via bind-users napsal(a): Hi there, On Fri, 15 Dec 2017, Petr Men??k wrote: ... current time is not available or can be inaccurate.

Re: DNSSEC validation without current time

On 18/12/2017 14:44, Timothe Litt wrote: > > On 18-Dec-17 01:07, Dave Warren wrote: >> On 2017-12-15 06:23, Petr Menšík wrote: >>> >>> Dne 15.12.2017 v 13:06 G.W. Haywood via bind-users napsal(a): Hi there, On Fri, 15 Dec 2017, Petr Men??k wrote: > ... current time is not

Re: Re: DNSSEC validation without current time

On 18-Dec-17 01:07, Dave Warren wrote: > On 2017-12-15 06:23, Petr Menšík wrote: >> >> Dne 15.12.2017 v 13:06 G.W. Haywood via bind-users napsal(a): >>> Hi there, >>> >>> On Fri, 15 Dec 2017, Petr Men??k wrote: >>> ... current time is not available or can be inaccurate. >>> >>> ntpdate? >>> >

Re: DNSSEC validation without current time

On 2017-12-15 06:23, Petr Menšík wrote: Dne 15.12.2017 v 13:06 G.W. Haywood via bind-users napsal(a): Hi there, On Fri, 15 Dec 2017, Petr Men??k wrote: ... current time is not available or can be inaccurate. ntpdate? Sure, of course. What would be default host after installation, that ca

Re: DNSSEC validation without current time

Hi there, On Fri, 15 Dec 2017, Barry Margolin wrote: In article , "G.W. Haywood" wrote: On Fri, 15 Dec 2017, Petr Men??k wrote: ... current time is not available or can be inaccurate. ntpdate? I think the issue is that he needs to resolve the hostname of the NTP server. Perhaps he c

Re: DNSSEC validation without current time

On 12/15/2017 08:10 AM, Timothe Litt wrote: I use an 19xLVC too (On Raspbian == Debian).  But I also have an RTC. GPS does have outages,  can take a while to get a fix, and NTP wants consensus.  So I use my GPS receiver as a local clock source (preferred), but also configure several servers fr

Re: DNSSEC validation without current time

In article , "G.W. Haywood" wrote: > Hi there, > > On Fri, 15 Dec 2017, Petr Men??k wrote: > > > ... current time is not available or can be inaccurate. > > ntpdate? I think the issue is that he needs to resolve the hostname of the NTP server. -- Barry Margolin Arlington, MA _

Re: Re: DNSSEC validation without current time

On 15-Dec-17 07:44, Mukund Sivaraman wrote: On Fri, Dec 15, 2017 at 12:45:11PM +0100, Petr Menšík wrote: >> Hi folks. >> >> I am looking for a way to validate name also on systems, where current >> time is not available or can be inaccurate. > I use a Garmin 18x LVC 1pps GPS receiver device conne

Re: DNSSEC validation without current time

On 15-Dec-17 06:45, Petr Menšík wrote: > Hi folks. > > I am looking for a way to validate name also on systems, where current > time is not available or can be inaccurate. > > This is related to booting with NTP client, when the only configuration > is hostname that has to be resolved. There is a

Re: DNSSEC validation without current time

Dne 15.12.2017 v 13:06 G.W. Haywood via bind-users napsal(a): > Hi there, > > On Fri, 15 Dec 2017, Petr Men??k wrote: > >> ... current time is not available or can be inaccurate. > > ntpdate? > Sure, of course. What would be default host after installation, that can be used in default install

Re: DNSSEC validation without current time

Petr Menšík wrote: > > This is related to booting with NTP client, when the only configuration > is hostname that has to be resolved. There is a bit circle dependencies. Yes awkward, and there still aren't any convincing answers. One of the more interesting projects is https://roughtime.googlesou

Re: DNSSEC validation without current time

On Fri, Dec 15, 2017 at 12:45:11PM +0100, Petr Menšík wrote: > Hi folks. > > I am looking for a way to validate name also on systems, where current > time is not available or can be inaccurate. I use a Garmin 18x LVC 1pps GPS receiver device connected to RS-232 serial port. The device plus cables

Re: DNSSEC validation without current time

Hi there, On Fri, 15 Dec 2017, Petr Men??k wrote: ... current time is not available or can be inaccurate. ntpdate? -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing li

Re: dnssec validation issue

Hi Mukund > Are you able to reproduce the bug with the latest stock version of BIND > 9.9? 9.9.4 is very old and that branch has had numerous bugfixes since. > I'm not able to reproduce such a validation failure with 9.9.11: At the moment the latest patched version of bind available for Cen

Re: dnssec validation issue

Hi Ganga On Thu, Aug 24, 2017 at 09:33:32AM +0600, Ganga R. Dhungyel wrote: > With dnssec-validation turned on, resolving sites like www.icann.org > fails. The alternative is to remove validation > which of course is not the desired solution. Are you able to reproduce the

Re: dnssec validation issue

On Thu, Aug 24, 2017 at 09:33:32AM +0600, Ganga R. Dhungyel wrote a message of 677 lines which said: > # dig @localhost www.icann.org A +dnssec When you suspect a DNSSEC issue, always retry dig with +cd (Checking Disabled). And post the result. ___

Re: dnssec validation issue

Ganga R. Dhungyel wrote: > > **debug log > > 23-Aug-2017 16:17:57.567 dnssec: debug 3: > validating @0x7f3ffc96e4d0: www.vip.icann.org A: > attempting insecurity proof > > With dnssec-validation turned on, resolving sites like www.icann.org fails. I think that line in the debug log in

Re: dnssec-validation [ ddig_sigchase option ]

On 10/12/16 15:07, Evan Hunt wrote: On Wed, Oct 12, 2016 at 01:56:09PM -0400, Dennis Clarke wrote: On 10/12/16 13:36, Evan Hunt wrote: I recommend using "delv" instead. "dig +sigchase" isn't good code. ? well that is news to me :-\ It's code that was contributed over ten years ago; we put

Re: dnssec-validation [ ddig_sigchase option ]

On Wed, Oct 12, 2016 at 01:56:09PM -0400, Dennis Clarke wrote: > On 10/12/16 13:36, Evan Hunt wrote: > > I recommend using "delv" instead. "dig +sigchase" isn't good code. > > ? well that is news to me :-\ It's code that was contributed over ten years ago; we put it into dig (hidden behind #ifd

Re: dnssec-validation [ ddig_sigchase option ]

On 10/12/16 13:36, Evan Hunt wrote: On Wed, Oct 12, 2016 at 03:40:54PM +, Bhangui, Sandeep - BLS CTR wrote: Was trying to run dig commands to do some dnssec validation and got the following message " "Invalid option: +sigchase" I recommend using "delv" instead. "dig +sigchase" isn't goo

Re: dnssec-validation [ ddig_sigchase option ]

On Wed, Oct 12, 2016 at 03:40:54PM +, Bhangui, Sandeep - BLS CTR wrote: > Was trying to run dig commands to do some dnssec validation and got the > following message " > > "Invalid option: +sigchase" I recommend using "delv" instead. "dig +sigchase" isn't good code. I expect we'll be removi

Re: dnssec-validation [ ddig_sigchase option ]

On 10/12/16 11:40, Bhangui, Sandeep - BLS CTR wrote: Hi Running ISC Bind 9.10.4-P2 will be soon moving to 9.10.4-P3. Was trying to run dig commands to do some dnssec validation and got the following message " "Invalid option: +sigchase" When checked found that the dig utility has to be compi

Re: DNSSEC validation failures for www.hrsa.gov

In message , Jay Ford writes: > On Sat, 25 Jun 2016, Mark Andrews wrote: > > The servers for webfarm.dr.hrsa.gov are not EDNS and DNSSEC compliant. > > They are returning FORMERR to queries with EDNS options. Unknown > > EDNS options are supposed to be ignored (RFC 6891). > > > > You can workaro

Re: Re: DNSSEC validation failures for www.hrsa.gov

On 24-Jun-16 22:13, Jay Ford wrote: > On Sat, 25 Jun 2016, Mark Andrews wrote: >> The servers for webfarm.dr.hrsa.gov are not EDNS and DNSSEC compliant. >> They are returning FORMERR to queries with EDNS options. Unknown >> EDNS options are supposed to be ignored (RFC 6891). >> >> You can workaro

Re: DNSSEC validation failures for www.hrsa.gov

On Sat, 25 Jun 2016, Mark Andrews wrote: The servers for webfarm.dr.hrsa.gov are not EDNS and DNSSEC compliant. They are returning FORMERR to queries with EDNS options. Unknown EDNS options are supposed to be ignored (RFC 6891). You can workaround this with a server clause to disable sending th

Re: DNSSEC validation failures for www.hrsa.gov

The servers for webfarm.dr.hrsa.gov are not EDNS and DNSSEC compliant. They are returning FORMERR to queries with EDNS options. Unknown EDNS options are supposed to be ignored (RFC 6891). You can workaround this with a server clause to disable sending the cookie option with a server clause. ser

Re: DNSSEC validation on 9.7.4 not working

Andrews [mailto:ma...@isc.org] > Sent: Tuesday, June 23, 2015 11:03 PM > To: Frank Bulk > Cc: bind-us...@isc.org > Subject: Re: DNSSEC validation on 9.7.4 not working > > > I suspect that the DNSKEY record for the root will be marked as a > 'answer' rather tha

RE: DNSSEC validation on 9.7.4 not working

iginal Message- From: Mark Andrews [mailto:ma...@isc.org] Sent: Tuesday, June 23, 2015 11:03 PM To: Frank Bulk Cc: bind-us...@isc.org Subject: Re: DNSSEC validation on 9.7.4 not working I suspect that the DNSKEY record for the root will be marked as a 'answer' rather than 'secu

Re: DNSSEC validation on 9.7.4 not working

ER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Tue Jun 23 22:41:31 2015 > ;; MSG SIZE rcvd: 883 > > root@nagios:/etc/bind# date -u > Wed Jun 24 03:41:52 UTC 2015 > root@nagios:/etc/bind# > > Frank > > -Original Message- > From: Mark Andrews [mailto:ma...@isc.org]

RE: DNSSEC validation on 9.7.4 not working

@nagios:/etc/bind# Frank -Original Message- From: Mark Andrews [mailto:ma...@isc.org] Sent: Tuesday, June 23, 2015 10:31 PM To: Frank Bulk Cc: bind-us...@isc.org Subject: Re: DNSSEC validation on 9.7.4 not working Should have asked for +dnssec on those queries. Also "date -u&qu

Re: DNSSEC validation on 9.7.4 not working

> wBRfmAi9wvR/Qc6IV4MFMXjmkclXns+atIQZ9uQV3YAvKv/cVuO7Mneu > MssIQixaMw+jp73R7zIUNMbLBgJRQXI57Rl+pvXBAkgHndVwv+aJkf7y GEuE9Dtj > > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Tue Jun 23 22:17:59 2015 > ;; MSG SIZE rcvd: 586 > > > Frank >

RE: DNSSEC validation on 9.7.4 not working

7.0.0.1) ;; WHEN: Tue Jun 23 22:17:59 2015 ;; MSG SIZE rcvd: 586 Frank -Original Message- From: Mark Andrews [mailto:ma...@isc.org] Sent: Tuesday, June 23, 2015 10:11 PM To: Frank Bulk Cc: bind-us...@isc.org Subject: Re: DNSSEC validation on 9.7.4 not working In message <003d01d0

Re: DNSSEC validation on 9.7.4 not working

In message <003d01d0ae24$682fc080$388f4180$@iname.com>, "Frank Bulk" writes: > I'm running BIND 9.7.3 on Debian and having trouble configuring DNSSEC > validation. > > I'm using the excellent guides at > http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html#easy-start-guide- > for-recursiv

Re: dnssec validation issue

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 2015-06-19 at 05:58 +, Eray Aslan wrote: > With the root zone and most TLDs signed, I do not think it makes sense > to use DLV anymore. While a typical DNSSEC resolver configuration has > DLV enabled, I personally make the effort to disabl

Re: dnssec validation issue

Eray Aslan writes: > On Thu, Jun 18, 2015 at 07:26:28PM -0700, Carl Byington wrote: > > On Fri, 2015-06-19 at 11:10 +1000, Mark Andrews wrote: > > > To use the keys in "/etc/named.iscdlv.key" set "dnssec-validation > > > auto;" > > New centos rpms at http://www.five-ten-sg.com/mapper/bind wi

Re: dnssec validation issue

On Thu, Jun 18, 2015 at 07:26:28PM -0700, Carl Byington wrote: > On Fri, 2015-06-19 at 11:10 +1000, Mark Andrews wrote: > > To use the keys in "/etc/named.iscdlv.key" set "dnssec-validation > > auto;" > New centos rpms at http://www.five-ten-sg.com/mapper/bind with a default > named.conf that shoul

Re: dnssec validation issue

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 2015-06-19 at 11:10 +1000, Mark Andrews wrote: > You don't have any trust anchors active. > To use the keys in "/etc/named.iscdlv.key" set "dnssec-validation > auto;" Thanks!! New centos rpms at http://www.five-ten-sg.com/mapper/bind with a

Re: dnssec validation issue

In message <1434674101.18744.119.ca...@ns.five-ten-sg.com>, Carl Byington write s: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > I have multiple centos6 boxes running 9.10.2-P1, and almost everything > looks good. However, one box seems to not be doing dnssec validation. It > is possible

Re: dnssec validation, managed keys, and chaos view

> even with dnssec-lookaside auto; only in the non-chaos view stanzas, it > seems to still want to do something relating to the chaos view: Ah well, thanks for checking. Turns out managed keys cross-link between the views incorrectly. There's a fix in review, I'll send you a patch later today.

Re: dnssec validation, managed keys, and chaos view

On 2011.02.28 00.20, Evan Hunt wrote: if i comment out dnssec-lookaside, or the chaos view, things seem to work ok. i'm wondering what i can do to further diagnose what is happening. below is my configuration, with the (presumably) uninteresting bits removed. i'm using 9.7.1, courtesy of ubuntu

Re: dnssec validation, managed keys, and chaos view

> if i comment out dnssec-lookaside, or the chaos view, things seem to work > ok. i'm wondering what i can do to further diagnose what is happening. > below is my configuration, with the (presumably) uninteresting bits > removed. i'm using 9.7.1, courtesy of ubuntu 10.10. Try putting "dnssec-loo

Re: DNSSEC validation on combined auth+recursive server

(Resending it here, didn't mean to reply just to you Alan) > On 1/6/2011 3:38 AM, Eivind Olsen wrote: >> (Yes, I know it's best practice to combine the authoritative + recursive >> functionality) > [...] it's NOT best [...] Yep, I knew that. Embarassing of me to miss that slightly important "NOT"

Re: DNSSEC validation on combined auth+recursive server

On 1/6/2011 3:38 AM, Eivind Olsen wrote: > I seem to remember seeing something about DNSSEC validation not working > when a BIND server is used both to serve the DNSSEC signed zone > authoritatively, and as a resolver? Unfortunately, I haven't managed to > find this information again, and now I'm

Re: DNSSEC validation on combined auth+recursive server

match-recursive is your friend. In message , "Eivi nd Olsen" writes: > Hello. > > I seem to remember seeing something about DNSSEC validation not working > when a BIND server is used both to serve the DNSSEC signed zone > authoritatively, and as a resolver? Unfortunately, I haven't manag

Re: DNSSEC validation on combined auth+recursive server

Hello, > I seem to remember seeing something about DNSSEC validation not working > when a BIND server is used both to serve the DNSSEC signed zone > authoritatively, and as a resolver? Unfortunately, I haven't managed to > find this information again, and now I'm wondering if it was all in my > he

Re: DNSSEC validation works with DLV, but not with just trusted-key

In message <200911252202.napm2asg000...@drugs.dv.isc.org>, Mark Andrews writes: > > Or one could use DLV to provide the trust linkage. > > dnssec-tools.org.dlv.isc.org. 3499 IN DLV 54556 5 1 > 11A4026F4E09B1C106AAF3AC81A37AA537B8A3E6 > dnssec-tools.org.dlv.isc.org. 3499 IN DLV 54556

Re: DNSSEC validation works with DLV, but not with just trusted-key

Or one could use DLV to provide the trust linkage. dnssec-tools.org.dlv.isc.org. 3499 IN DLV 54556 5 1 11A4026F4E09B1C106AAF3AC81A37AA537B8A3E6 dnssec-tools.org.dlv.isc.org. 3499 IN DLV 54556 5 2 6B026928292D452A5CC37B3EF327F27F50A29936CB31E664EB066D71 A476E282 -- Mark Andrews, IS

Re: DNSSEC validation works with DLV, but not with just trusted-key

Hanno Böck wrote: Am Mittwoch 25 November 2009 schrieb Alan Clegg: There is no DS record for dnssec-tools.org in .org (chain of trust is broken), so you can't validate the response -- thus the data being passed back to you. Ok, that explains it. Are there any example domains with known-broken

Re: DNSSEC validation works with DLV, but not with just trusted-key

Am Mittwoch 25 November 2009 schrieb Alan Clegg: > There is no DS record for dnssec-tools.org in .org (chain of trust is > broken), so you can't validate the response -- thus the data being > passed back to you. Ok, that explains it. Are there any example domains with known-broken dnssec records

Re: DNSSEC validation works with DLV, but not with just trusted-key

Hanno Böck wrote: dig baddata-A.test.dnssec-tools.org @localhost There is no DS record for dnssec-tools.org in .org (chain of trust is broken), so you can't validate the response -- thus the data being passed back to you. AlanC ___ bind-users mai