In message <1434674101.18744.119.ca...@ns.five-ten-sg.com>, Carl Byington write s: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I have multiple centos6 boxes running 9.10.2-P1, and almost everything > looks good. However, one box seems to not be doing dnssec validation. It > is possible that this behavior predates the latest updates and I just > never noticed it. > > A and B have essentially identical configuration, except that A is the > master for some zones, and B is the slave pulling from A. Other than > that, the /etc/named.conf is identical. A also has ipv6 connectivity, > and B does not. The authoritative side works nicely on both. The > recursive resolver is where the difference shows up. > > On A: > > dig www.dnssec-failed.org @localhost > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19813 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 11 > ;; ANSWER SECTION: > www.dnssec-failed.org. 7178 IN A 68.87.109.242 > www.dnssec-failed.org. 7178 IN A 69.252.193.191 > > > > On B: > dig www.dnssec-failed.org @localhost > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4969 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 >
You don't have any trust anchors active. To use the keys in "/etc/named.iscdlv.key" set "dnssec-validation auto;" > /etc/named.conf: > > options { > directory "/var/named"; > allow-recursion { "friends"; }; > dnssec-enable yes; > dnssec-validation yes; > bindkeys-file "/etc/named.iscdlv.key"; > managed-keys-directory "/var/named/dynamic"; > listen-on-v6 {any;}; > ixfr-from-differences yes; > max-journal-size 2m; > notify yes; > response-policy { zone "rpz.five-ten-sg.com";} > qname-wait-recurse no; > filter-aaaa-on-v4 yes; > filter-aaaa { "brokenv6"; }; > rate-limit { > responses-per-second 5; > errors-per-second 5; > nxdomains-per-second 40; > qps-scale 300; > exempt-clients { "friends"; }; > }; > }; > > > A is neither master nor slave for dnssec-failed.org, and that domain is > not mentioned in the rpz zone. > > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.14 (GNU/Linux) > > iEYEARECAAYFAlWDYtAACgkQL6j7milTFsHClQCeLKkTuQYlM4liB0UECG5Z4pui > ujMAnj4wnUWqJj258pIlUFo0IONtkkEP > =/QDW > -----END PGP SIGNATURE----- > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users