Discuss mailing list

[Jeff Taylor <shdwdrgn AT sourpuss.net>]

I'd be curious what experience others have had with this, or if anyone knows enough about DNSSEC to provide answers as to why this might be happening.  In my own case, I run Bind 9.9.5 on debian, and have never seen any such error messages.  My config contains these lines...

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

Is there a portion of the KSK or ZSK that is supposed to be made public?  I thought the public portions of the keys were contained within the DNSKEY and RRSIG records of the signed root zone?

On 12/06/2016 06:48 AM, Famicoman wrote:

Hey all,

Long-time subscriber just setting up my first tier 2 server using bind 9.9.5. I followed the wiki on using the root hints method and found that I had to change dnssec-validatio to no instead of the default auto in my named.conf.options file to be able to ping opennic.glue.

If I left it on auto, I would get the following lines in my syslog and ping would report an unknown host,

Dec  6 14:16:11 arsgang named[24432]:     validating @0x7f78686561f0: opennic.glue DS: bad cache hit (./DNSKEY)

Dec  6 14:16:11 arsgang named[24432]: error (broken trust chain) resolving 'opennic.glue/A/IN': 188.226.146.136#53

I read in the list archive that DNSSEC is supported now on servers, but I'm under the impression I need to specify some key files, and their generation is a bit over my head. Is this accurate? If anyone more knowledgeable than me can chime in (or if I should even worry about this) I can update the wiki with these steps.

Thanks,

Mike.

--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org