Skip to Content.
Sympa Menu

discuss - [opennic-discuss] DNSSEC validation forced off?

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

[opennic-discuss] DNSSEC validation forced off?


Chronological Thread 
  • From: Famicoman <famicoman AT gmail.com>
  • To: discuss AT lists.opennicproject.org
  • Subject: [opennic-discuss] DNSSEC validation forced off?
  • Date: Tue, 6 Dec 2016 08:48:55 -0500

Hey all,

Long-time subscriber just setting up my first tier 2 server using bind 9.9.5. I followed the wiki on using the root hints method and found that I had to change dnssec-validatio to no instead of the default auto in my named.conf.options file to be able to ping opennic.glue.

If I left it on auto, I would get the following lines in my syslog and ping would report an unknown host,

Dec  6 14:16:11 arsgang named[24432]:     validating @0x7f78686561f0: opennic.glue DS: bad cache hit (./DNSKEY)
Dec  6 14:16:11 arsgang named[24432]: error (broken trust chain) resolving 'opennic.glue/A/IN': 188.226.146.136#53

I read in the list archive that DNSSEC is supported now on servers, but I'm under the impression I need to specify some key files, and their generation is a bit over my head. Is this accurate? If anyone more knowledgeable than me can chime in (or if I should even worry about this) I can update the wiki with these steps.

Thanks,
Mike.



Archive powered by MHonArc 2.6.19.

Top of Page