Hey guys, We received an email today about one of our recursive DNS servers that did not support the new KSK for DNSSEC.
################################ On 11 October 2018, ICANN will change or "roll over" the DNSSEC key signing key (KSK) of the DNS root zone. Based on information from your network received at the DNS root name servers [1], we believe that there may be at least one recursive resolver (also referred to as a recursive name server or caching name server) with DNSSEC validation enabled in AS11272 that is unprepared for the KSK rollover. If that resolver is not updated before 11 October 2018, users of that resolver will not be able to resolve any DNS queries, resulting in an outage for them. ################################# So, I followed the instructions here: https://www.icann.org/dns-resolvers-updating-latest-trust-anchor In my named.conf I changed: dnssec-validation yes; to dnssec-validation auto; I then moved my bind.keys file (which does have the latest keys) into the named working directory. Chown'd it so that named could have group ownership and could write to it. I then restarted named. I started seeing these in the logs: *dnssec: info: validating x.com <http://x.com>: no valid signature found* *So I tried a different approach:* *I moved the "managed keys" section into my named.conf file. managed-keys { . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0="; . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU="; };Restarted bind and still started seeing validation errors in the logs. * *Can someone tell me what I am doing wrong?*
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users