Actually I have one more question just to make sure I'm not overlooking anything for the KSK rollover. The instructions here:
https://www.icann.org/dns-resolvers-checking-current-trust-anchors say that I need to, in addition to setting validation to "auto" run: rndc secroots. Well, I did that and it created the named.secroots file with the correct contents: secure roots as of 23-Aug-2018 17:27:15.420: Start view _default Secure roots: ./RSASHA256/20326 ; managed ./RSASHA256/19036 ; managed Negative trust anchors: Does BIND automatically know to use this file or do I need to point named.conf to it? Do I even need this file at all? On Thu, Aug 23, 2018 at 9:43 AM project722 <project...@gmail.com> wrote: > Thanks Tony! This was very helpful. > > On Thu, Aug 23, 2018 at 8:01 AM Tony Finch <d...@dotat.at> wrote: > >> project722 <project...@gmail.com> wrote: >> > >> > 1) I am still seeing the "no valid signature found" messages in my >> > bind.log. >> >> > ;; validating ncentral.teklinks.com/A: no valid signature found >> >> In this case that's because ncentral.teklinks.com is signed but there's >> no >> DS in the parent zone, so it's insecure. If you run delv +vtrace you'll >> see a lot of verbiage between these lines which is the major clue. >> >> ;; validating teklinks.com/DS: attempting negative response validation >> >> ;; validating teklinks.com/DS: nonexistence proof(s) found >> >> Or you can look at dnsviz.net :-) >> >> > 2) There is one other scenario that confuses me. When I test against a >> URL >> > that's purposely setup to fail dnssec, I get a servfail. >> >> dnssec-failed.org has DS records, so it should be secure, but the DS >> records in the parent don't match the DNSKEY records in the child zone. >> You can see this by comparing: >> >> $ dig +noall +answer dnssec-failed.org ds >> >> $ dig +cd dnssec-failed.org dnskey | >> dnssec-dsfromkey -f /dev/stdin dnssec-failed.org >> >> Tony. >> -- >> f.anthony.n.finch <d...@dotat.at> http://dotat.at/ >> protect and enlarge the conditions of liberty and social justice >> >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users