Hi all, I am struggling with weird behaviour of bind9 acting as authenticating resolver, when querying DNSSEC enabled domains that are using DLV. My registrar is still unable to sign DS records.
Everything works fine if only "dnssec-lookaside auto" option is set in the resolver's named.conf.options file. When running "dig +dnssec domain.tld", I get a correct answer with the "ad" flag set. But after enabling "dnssec-must-be-secure domain.tld", the lookup fails with lots of error messages in the log saying DNSKEY lookup failed for domain.tld. Then I added the domain.tld's key (the KSK) into the named.conf.options file, in a "trusted-keys" section. Then, the lookups succeed again, with "ad" flag set. I wonder what happens here. Can it be the case, that DLV generally works, but not for domains listed in "dnssec-must-be-secure" statements? I am running bind 9.8.4 on Debian. Cheers, Robert -- Robert Senger <robert.sen...@microscopium.de> PGP/GPG Public Key ID: 24E78B5E
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
