[nSLUG] DNSSEC configuration

D G Teed donald.teed at gmail.com
Wed Dec 17 10:13:07 AST 2014


The Google DNS servers (e.g. 8.8.8.8) do support DNSSEC, and the
dig tests perform as expected there.

dig whitehouse.gov +dnssec @8.8.8.8

shows flags with qr rd ra ad (ad is the one I'm looking for)

Also, dig badsign-a.test.dnssec-tools.org +dnssec @8.8.8.8

does not give a result because the signing is bad....

=========================================================

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> badsign-a.test.dnssec-tools.org
+dnssec @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 47495
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;badsign-a.test.dnssec-tools.org. IN    A

=========================================================

This clearly points to the DNS/bind configuration being the root
issue.  All fhe docs I find say it is enabled by using:

        dnssec-enable yes;
        dnssec-validation yes;

in the bind options, preferably with referencing the bind keys
file for the root iscdlv key.  This is not enough to make it work
with bind 9.8.4 on Debian or 9.8.2 on Redhat.

Also tried out the DNS servers of Bell Aliant in my resolv.conf
and they do not support the test.  I thought maybe
someone on the list had implemented the name service
caching end of this and might know the tricks already.
I believed I did have it configured and working until
I tried the tests suggested by the dnssec-tools.org folks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/pipermail/nslug/attachments/20141217/985a68d4/attachment.html>


More information about the nSLUG mailing list