-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have multiple centos6 boxes running 9.10.2-P1, and almost everything looks good. However, one box seems to not be doing dnssec validation. It is possible that this behavior predates the latest updates and I just never noticed it.
A and B have essentially identical configuration, except that A is the master for some zones, and B is the slave pulling from A. Other than that, the /etc/named.conf is identical. A also has ipv6 connectivity, and B does not. The authoritative side works nicely on both. The recursive resolver is where the difference shows up. On A: dig www.dnssec-failed.org @localhost ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19813 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 11 ;; ANSWER SECTION: www.dnssec-failed.org. 7178 IN A 68.87.109.242 www.dnssec-failed.org. 7178 IN A 69.252.193.191 On B: dig www.dnssec-failed.org @localhost ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4969 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 /etc/named.conf: options { directory "/var/named"; allow-recursion { "friends"; }; dnssec-enable yes; dnssec-validation yes; bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; listen-on-v6 {any;}; ixfr-from-differences yes; max-journal-size 2m; notify yes; response-policy { zone "rpz.five-ten-sg.com";} qname-wait-recurse no; filter-aaaa-on-v4 yes; filter-aaaa { "brokenv6"; }; rate-limit { responses-per-second 5; errors-per-second 5; nxdomains-per-second 40; qps-scale 300; exempt-clients { "friends"; }; }; }; A is neither master nor slave for dnssec-failed.org, and that domain is not mentioned in the rpz zone. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlWDYtAACgkQL6j7milTFsHClQCeLKkTuQYlM4liB0UECG5Z4pui ujMAnj4wnUWqJj258pIlUFo0IONtkkEP =/QDW -----END PGP SIGNATURE----- _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users