Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] DNSSEC validation forced off?

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] DNSSEC validation forced off?


Chronological Thread 
  • From: Jeff Taylor <shdwdrgn AT sourpuss.net>
  • To: discuss AT lists.opennicproject.org
  • Subject: Re: [opennic-discuss] DNSSEC validation forced off?
  • Date: Tue, 06 Dec 2016 08:52:26 -0700
  • Authentication-results: mx5.sourpuss.net; dmarc=none header.from=sourpuss.net
  • Dmarc-filter: OpenDMARC Filter v1.3.0 mx5.sourpuss.net CB04A2D4B2

I'd be curious what experience others have had with this, or if anyone knows enough about DNSSEC to provide answers as to why this might be happening.  In my own case, I run Bind 9.9.5 on debian, and have never seen any such error messages.  My config contains these lines...

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

Is there a portion of the KSK or ZSK that is supposed to be made public?  I thought the public portions of the keys were contained within the DNSKEY and RRSIG records of the signed root zone?


On 12/06/2016 06:48 AM, Famicoman wrote:
Hey all,

Long-time subscriber just setting up my first tier 2 server using bind 9.9.5. I followed the wiki on using the root hints method and found that I had to change dnssec-validatio to no instead of the default auto in my named.conf.options file to be able to ping opennic.glue.

If I left it on auto, I would get the following lines in my syslog and ping would report an unknown host,

Dec  6 14:16:11 arsgang named[24432]:     validating @0x7f78686561f0: opennic.glue DS: bad cache hit (./DNSKEY)
Dec  6 14:16:11 arsgang named[24432]: error (broken trust chain) resolving 'opennic.glue/A/IN': 188.226.146.136#53

I read in the list archive that DNSSEC is supported now on servers, but I'm under the impression I need to specify some key files, and their generation is a bit over my head. Is this accurate? If anyone more knowledgeable than me can chime in (or if I should even worry about this) I can update the wiki with these steps.

Thanks,
Mike.



--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org




Archive powered by MHonArc 2.6.19.

Top of Page