discuss AT lists.opennicproject.org
Subject: Discuss mailing list
List archive
- From: Jeff Taylor <shdwdrgn AT sourpuss.net>
- To: discuss AT lists.opennicproject.org
- Subject: Re: [opennic-discuss] DNSSEC validation forced off?
- Date: Tue, 06 Dec 2016 08:52:26 -0700
- Authentication-results: mx5.sourpuss.net; dmarc=none header.from=sourpuss.net
- Dmarc-filter: OpenDMARC Filter v1.3.0 mx5.sourpuss.net CB04A2D4B2
I'd be curious what experience others have had with this, or if
anyone knows enough about DNSSEC to provide answers as to why this
might be happening. In my own case, I run Bind 9.9.5 on debian, and
have never seen any such error messages. My config contains these
lines... dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; Is there a portion of the KSK or ZSK that is supposed to be made public? I thought the public portions of the keys were contained within the DNSKEY and RRSIG records of the signed root zone? On 12/06/2016 06:48 AM, Famicoman
wrote:
Hey all,
Long-time subscriber just setting up my first
tier 2 server using bind 9.9.5. I followed the wiki on using
the root hints method and found that I had to change
dnssec-validatio to no instead of the default auto in my
named.conf.options file to be able to ping opennic.glue.
If I left it on auto, I would get the following
lines in my syslog and ping would report an unknown host,
Dec 6 14:16:11 arsgang named[24432]:
validating @0x7f78686561f0: opennic.glue DS: bad cache hit
(./DNSKEY)
Dec 6 14:16:11 arsgang named[24432]: error
(broken trust chain) resolving 'opennic.glue/A/IN':
188.226.146.136#53
I read in the list archive that DNSSEC is
supported now on servers, but I'm under the impression I
need to specify some key files, and their generation is a
bit over my head. Is this accurate? If anyone more
knowledgeable than me can chime in (or if I should even
worry about this) I can update the wiki with these steps.
Thanks,
Mike.
-------- You are a member of the OpenNIC Discuss list. You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org |
- [opennic-discuss] DNSSEC validation forced off?, Famicoman, 12/06/2016
- Re: [opennic-discuss] DNSSEC validation forced off?, Jeff Taylor, 12/06/2016
- Re: [opennic-discuss] DNSSEC validation forced off?, Famicoman, 12/06/2016
- Re: [opennic-discuss] DNSSEC validation forced off?, Verax, 12/06/2016
- Re: [opennic-discuss] DNSSEC validation forced off?, Famicoman, 12/06/2016
- Re: [opennic-discuss] DNSSEC validation forced off?, Jeff Taylor, 12/06/2016
Archive powered by MHonArc 2.6.19.