[nSLUG] DNSSEC configuration

D G Teed donald.teed at gmail.com
Tue Dec 16 12:48:54 AST 2014


I'm looking into DNSSEC now that CIRA supports it.  I thought I had
the client look-ups supporting this, but now I see the dig results don't
jive with that.  Tried the usual set up at home on Debian like so:

/etc/bind/named.conf.options:

options {
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/bind/bind.keys";
...
}

Yet this test doesn't show the ad flag:

=========================================================
# dig +dnssec whitehouse.gov

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +dnssec whitehouse.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44136
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;whitehouse.gov.                        IN      A

;; ANSWER SECTION:
whitehouse.gov.         20      IN      A       184.84.160.110
whitehouse.gov.         20      IN      RRSIG   A 7 2 20 20141219110051
20141216100051 17246 whitehouse.gov.
A7hREBrqjrdFVQ6UiJsImDxOKwf95Xx6jWT/x3PgQHMh47TTDo4CP6oq
yvxx72aBwsRFqsuy+8vOLTZ6BeBaZDEoq3kNSmk0ezCxzxB0fxczyJ6J
sj+7BswKy1TQGASKSfBpA5mpyXxaJdYsDpfZ9k0JBC92iVgh4h57cGqB 2nM=

;; AUTHORITY SECTION:
whitehouse.gov.         86000   IN      NS      use6.akam.net.
whitehouse.gov.         86000   IN      NS      ns1-176.akam.net.
whitehouse.gov.         86000   IN      NS      asia9.akam.net.
whitehouse.gov.         86000   IN      NS      zc.akam.net.
whitehouse.gov.         86000   IN      NS      usw1.akam.net.
whitehouse.gov.         86000   IN      NS      ns1-145.akam.net.

;; Query time: 282 msec
;; SERVER: 192.168.0.3#53(192.168.0.3)
;; WHEN: Tue Dec 16 11:39:32 2014
;; MSG SIZE  rcvd: 360
=========================================================

And this test goes through without failing:

=========================================================
dig badsign-a.test.dnssec-tools.org +dnssec

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> badsign-a.test.dnssec-tools.org
+dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32924
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;badsign-a.test.dnssec-tools.org. IN    A

;; ANSWER SECTION:
badsign-a.test.dnssec-tools.org. 86379 IN A     69.163.146.191
badsign-a.test.dnssec-tools.org. 86379 IN RRSIG A 5 4 86400 20150109054254
20141210044254 19442 test.dnssec-tools.org.
B1MGrhDRytcRAMy0lJpVBYiqunBIJsOV502S2m3QVp2ukZTEWJcNgeC8
dbyL8MhiZrEjsa7ndloRQJWZa6xJ9hEA1NFm68tTfw2SYfuHJH65HbHf
LQJLtukkBY33YePiJ5w2trmgfbEpfuAvxahRladYmu4MqRwKVFlk9MDF rJ4=

;; Query time: 0 msec
;; SERVER: 192.168.0.3#53(192.168.0.3)
;; WHEN: Tue Dec 16 11:40:51 2014
;; MSG SIZE  rcvd: 257

=========================================================

This second test is supposed to fail according to dnssec-tools.org
troubleshooting guide.

Is the documentation I'm finding out of date or have I missed a piece?
It has the scent of something very simple being missed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/pipermail/nslug/attachments/20141216/9aedb6d0/attachment.html>


More information about the nSLUG mailing list