Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] DNSSEC validation forced off?

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] DNSSEC validation forced off?


Chronological Thread 
  • From: Famicoman <famicoman AT gmail.com>
  • To: discuss AT lists.opennicproject.org
  • Subject: Re: [opennic-discuss] DNSSEC validation forced off?
  • Date: Tue, 6 Dec 2016 11:25:29 -0500

Hi Jeff,

I also run debian (jessie) and modified my config to contain your lines in regards to anything dnssec-related. Pasted in, bind appears to be functioning as expected.

Apparantly look-aside validation removes the necessity for manual key management on individual DNS servers by trusting a resolver upstream. Look-aside will apparantly be discontinued at some point, but will keep working for now (https://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html)

On Dec 6, 2016 10:52 AM, "Jeff Taylor" <shdwdrgn AT sourpuss.net> wrote:
I'd be curious what experience others have had with this, or if anyone knows enough about DNSSEC to provide answers as to why this might be happening.  In my own case, I run Bind 9.9.5 on debian, and have never seen any such error messages.  My config contains these lines...

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

Is there a portion of the KSK or ZSK that is supposed to be made public?  I thought the public portions of the keys were contained within the DNSKEY and RRSIG records of the signed root zone?

--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org



Archive powered by MHonArc 2.6.19.

Top of Page