Some clarification.... Have you DNSSEC Signed your Domain - that is "covisp.net" because I don't see any DS records for it in the "net" zone.
dig @a.gtld-servers.net. covisp.net ds flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 returns the SOA for NET - so I know I got to the right place but there was no answer... If you mean you want to switch on DNSSEC for recursion - that is - when you look up names and want DNSSEC protection - you should not do that on your authoritative servers. If an authoritative server has a DNSSEC signed zone and you ask it directly (e.g. with DIG) - it will set the "AA" flag for that domain but never set the AD bit. In my case, posix.co.za is signed and if I ask my local DNS Server which is DNSSEC aware - I get... $ dig posix.co.za a ... ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ... posix.co.za. 3600 IN A 192.96.24.1 ... ;; SERVER: 127.0.0.1#53(127.0.0.1) If I ask my authoritative (for "posix.co.za") Nameserver for the same: $ dig posix.co.za a @secdns1.posix.co.za ... ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6 ... posix.co.za. 3600 IN A 192.96.24.1 ... ;; SERVER: 192.96.24.81#53(192.96.24.81) Notice there is no AD bit, just AA. In a new install of bind (on my Linux Laptop: BIND 9.11.2-P1 ) I think you'll find DNSSEC is already switched on otherwise you want: options { dnssec-enable yes; dnssec-validation auto; }; On an Authoritative system - anyone can query it but only for your domain and there should be no recursion allow-recursion { none; }; On a Recursive server, recursion should be on but only for a few trusted people... allow-recursion { trusted; }; // Trusted is only my local networks Thus Recursive and Authoritative Nameservers should *ideally* be on separate servers (virtual or physical) On 09/08/2018 03:58 PM, @lbutlr wrote: > So, I setup up DNSSEC on my authoritative bind 9.12 server, which was very > straightforward and works fine: > > dig covisp.net +dnssec +short @8.8.8.8 > 65.121.55.42 > A 7 2 86400 20181008122535 20180908122535 17363 covisp.net. > pkpVdFONJ2dYN+7wQ4pVcQTlWIThY3+mbNdXsE8p5uWiLNvIefVT32JE > i9itA3Si91/pImofmPnLPbxRbLzWt+dSfbxBoHaoCYK1ZCngw/vy9QlG > 36Um0De5ItCC/GuflXUnBKmEJKx0pQOlvqSnkRSV75yLnAw3NA0BdKnf > CBJP9QLQH/A1vojRafIER5MNM34lKfJC9QrMDBiUBYzrv3i/2QK3gE7t > 8Y1Zpoemux8Uz/zps1I/pmjVAIixk2ilVOLDXkeS6Ta4ODrWayyuFM8b > xwkodXsMtFAx5PhkVyHT5zJyScYYzC82aZs7fTmA6F01saabVsxIYAi6 78upgA== > > But now, what do I need to do for other DNS servers? Is it enough to simply > add > > dnssec-enable yes; > dnssec-validation yes; > managed-keys-directory "/usr/local/etc/namedb/working/keys"; > > ? Should it simply validate the key with the primary and go from there? > > I tried this, but trying to do a dig +dnssec on the secondary DNS doesn’t > return the record, so I think there must be something else. > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark James ELKINS - Posix Systems - (South) Africa m...@posix.co.za Tel: +27.128070590 Cell: +27.826010496 For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users