In message <512fb319.7030...@htt-consult.com>, Robert Moskowitz writes: > I MAY be doing something wrong, or my problem is elsewhere... > > In zone htt. I have the DNSKEY RR: > > htt. IN DNSKEY 257 3 7 > AwEAAfEIWjDoEesqC4NLAwNFgviq+IGbUFmnFn0/2L8UvLWMjYiGFETi > NyA4CVaaG4GMekSJM8dI0FepyIKurxAhYzyV+phS5C6MoVmnYdF27dkP > qS0pFDZ/Hpp25qTrKIUjcqvxgECP1ArXa7yyE7/xWzQjH9nk5gEnad6w > Gy41lRnv3/UPtkxw669V2Ikb1NLAB5XnAzpTc4Tm7QPRPtbN8+FKWyYW > Ie9/nYKf67vSrlwbxRFbb27GeEmnrqMtsLkSFP1zDoUbmgJs3yiVjFCD > 8hRYlbOA9lgAMbOGm4tNsLOFx0vyBZEVtdh4l/YDAaklygtR+f60271X > DHWaC4U/VYrHRidg2krM+UpPhjqn3aPJFIyyKEEE66cMSlf7ROL71w== > > So in my caching server's named.conf I added at the end: > > include "/etc/named.trusted.key"; > > and this contains: > > trusted-keys { > > # DNSKEY for htt zone. > > htt. 257 3 7 > "AwEAAfEIWjDoEesqC4NLAwNFgviq+IGbUFmnFn0/2L8UvLWMjYiGFETi > NyA4CVaaG4GMekSJM8dI0FepyIKurxAhYzyV+phS5C6MoVmnYdF27dkP > qS0pFDZ/Hpp25qTrKIUjcqvxgECP1ArXa7yyE7/xWzQjH9nk5gEnad6w > Gy41lRnv3/UPtkxw669V2Ikb1NLAB5XnAzpTc4Tm7QPRPtbN8+FKWyYW > Ie9/nYKf67vSrlwbxRFbb27GeEmnrqMtsLkSFP1zDoUbmgJs3yiVjFCD > 8hRYlbOA9lgAMbOGm4tNsLOFx0vyBZEVtdh4l/YDAaklygtR+f60271X > DHWaC4U/VYrHRidg2krM+UpPhjqn3aPJFIyyKEEE66cMSlf7ROL71w=="; > > }; > > And I am still getting: > > Feb 28 14:35:17 klovia named[24806]: validating @0xb4855220: htt SOA: > got insecure response; parent indicates it should be secure
The forwarders are not DNSSEC enabled. "parent" here means named.conf. >From the recursive server run dig @forwarder +dnssec htt soa This should work and have RRSIG records. Do some other queries also with +dnssec. negative responses should have NSEC/NSEC3 records if they are coming from a signed zone. > The logged for starting named does have: > > Feb 28 14:35:00 klovia named[24806]: managed-keys-zone ./IN: loaded > serial 103 managed-keys in named.conf are just the initial keys used as the starting point for RFC 5011 style trusted key managment. The runtime keys are pulled from a seperate database. That message says that the serial number for that database is 103. > but nothing about trusted-keys loaded. In the > http://www.isc.org/software/bind/documentation/arm95 it shows the > trusted-keys clause before the global options. Does order matter; it > seems to for ACLs? Is there something else I am missing? > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users