Discuss mailing list

[Famicoman <famicoman AT gmail.com>]

Hi Jeff,

I also run debian (jessie) and modified my config to contain your lines in regards to anything dnssec-related. Pasted in, bind appears to be functioning as expected.

Apparantly look-aside validation removes the necessity for manual key management on individual DNS servers by trusting a resolver upstream. Look-aside will apparantly be discontinued at some point, but will keep working for now (https://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html)

On Dec 6, 2016 10:52 AM, "Jeff Taylor" <shdwdrgn AT sourpuss.net> wrote:

I'd be curious what experience others have had with this, or if anyone knows enough about DNSSEC to provide answers as to why this might be happening.  In my own case, I run Bind 9.9.5 on debian, and have never seen any such error messages.  My config contains these lines...

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

Is there a portion of the KSK or ZSK that is supposed to be made public?  I thought the public portions of the keys were contained within the DNSKEY and RRSIG records of the signed root zone?

--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org