Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] DNSSEC validation forced off?

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] DNSSEC validation forced off?


Chronological Thread 
  • From: Verax <verax AT 8chan.co>
  • To: discuss AT lists.opennicproject.org
  • Subject: Re: [opennic-discuss] DNSSEC validation forced off?
  • Date: Tue, 6 Dec 2016 22:04:55 -0500

dnssec-validation needs to be set to 'yes'. Setting it to 'auto' uses
the built-in ICANN keys that bind ships with, and silently overrides any
trusted-keys or managed-keys you have configured for the root.

Lookaside is for DNSSEC-secured domains that are in an non-secured
parent zone. Setting dnssec-lookaside to 'auto' will use the built-in
dlv.isc.org keys, which is probably what you want. I'm not really sure
how important DLV support is.

--Verax

Famicoman wrote:
> Hi Jeff,
>
> I also run debian (jessie) and modified my config to contain your lines
> in regards to anything dnssec-related. Pasted in, bind appears to be
> functioning as expected.
>
> Apparantly look-aside validation removes the necessity for manual key
> management on individual DNS servers by trusting a resolver upstream.
> Look-aside will apparantly be discontinued at some point, but will keep
> working for now
> (https://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html)
>
> On Dec 6, 2016 10:52 AM, "Jeff Taylor" <shdwdrgn AT sourpuss.net
> <mailto:shdwdrgn AT sourpuss.net>> wrote:
>
> I'd be curious what experience others have had with this, or if
> anyone knows enough about DNSSEC to provide answers as to why this
> might be happening. In my own case, I run Bind 9.9.5 on debian, and
> have never seen any such error messages. My config contains these
> lines...
>
> dnssec-enable yes;
> dnssec-validation yes;
> dnssec-lookaside auto;
>
> Is there a portion of the KSK or ZSK that is supposed to be made
> public? I thought the public portions of the keys were contained
> within the DNSKEY and RRSIG records of the signed root zone?
>
> --------
> You are a member of the OpenNIC Discuss list.
> You may unsubscribe by emailing
> discuss-unsubscribe AT lists.opennicproject.org
> <mailto:discuss-unsubscribe AT lists.opennicproject.org>
>
>
>
>
>
> --------
> You are a member of the OpenNIC Discuss list.
> You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org
>

Attachment: signature.asc
Description: OpenPGP digital signature




Archive powered by MHonArc 2.6.19.

Top of Page