I am trying to use dig to validate DNSSEC results.
When I point dig at my ISP nameserver, it fails claiming
;; RRSIG of DNSKEY is missing to continue validation: FAILED
Same thing when I point dig at google's public nameservers.
However when I point dig at bind.odvr.dns-oarc.net it works.
So I am attempting to set up a bind caching nameserver on my local LAN that works with DNSSEC and so far, I'm not having any luck - I end up with the same results as trying to use my ISPs or Google's public nameserver.
What am I missing that is needed to run a bind caching nameserver that is actually *truly* DNSSEC aware?
DNSSEC and caching nameserver
-
- Posts: 49
- Joined: 2014/09/19 19:36:25
Re: DNSSEC and caching nameserver
dig @bind.odvr.dns-oarc.net +topdown +sigchase domblogger.net.
That's the dig command that works. Replace @bind.odvr.dns-oarc.net with @localhost (or google's public or my ISP) and it fails.
I really would like it to work with localhost, at least until my ISP updates their nameserver.
That's the dig command that works. Replace @bind.odvr.dns-oarc.net with @localhost (or google's public or my ISP) and it fails.
I really would like it to work with localhost, at least until my ISP updates their nameserver.
-
- Posts: 49
- Joined: 2014/09/19 19:36:25
Re: DNSSEC and caching nameserver
When it fails using local bind:
;; RRSIG of DNSKEY is missing to continue validation: FAILED
I've been through the
/var/named/chroot/etc/named.conf file numerous times and I can't figure out what setting I'm missing for it to do DNSSEC properly and validate a signature.
Clearly it can be done, bind.odvr.dns-oarc.net is doing it.
;; RRSIG of DNSKEY is missing to continue validation: FAILED
I've been through the
/var/named/chroot/etc/named.conf file numerous times and I can't figure out what setting I'm missing for it to do DNSSEC properly and validate a signature.
Clearly it can be done, bind.odvr.dns-oarc.net is doing it.
-
- Posts: 49
- Joined: 2014/09/19 19:36:25
Re: DNSSEC and caching nameserver
dig @localhost +sigchase +trusted-key=~/root.keys domblogger.net
That works. So it seems for whatever reason, dig isn't able to get the trusted root keys from my local bind.
That works. So it seems for whatever reason, dig isn't able to get the trusted root keys from my local bind.