Hi, If like me, you've been eagerly awaiting debian11 to get bind-9.16.15, which finally lets you implement DNSSEC extremely easily on debian stable, I have a warning.
Bind has a dnssec-policy {} stanza for defining your own policy if you're feeling adventurous, but there's also a default policy. And there's a dnssec-policy usage directive to specify which dnssec-policy should be applied to zones. Bind's documentation says that the dnssec-policy usage directive can either appear in the options {} stanza, so as to apply to all zones, or it can appear in individual zone {} stanzas. My advice is: DO NOT PUT DNSSEC-POLICY IN THE OPTIONS {} STANZA. ONLY PUT DNSSEC-POLICY IN THE ZONE {} STANZAS. I put it in the options {} stanza, not realising that "all zones" doesn't just mean all of *my* authoritative zones. It really means ALL zones. That means every zone /etc/bind/named.conf.local (i.e. my zones), as well as every zone in /etc/bind/named.conf.default-zones i.e.: localhost 127.in-addr.arpa 0.in-addr.arpa 255.in-addr.arpa And, if you uncomment the include "/etc/bind/zones.rfc1918" in /etc/bind/named.conf.local, then it also means all of those zones as well: 16.172.in-addr.arpa 17.172.in-addr.arpa ... 31.172.in-addr.arpa 168.192.in-addr.arpa What happens next is that bind tries and fails to create .jnl files in /etc/bind for these zones. Apparmor or the directory permissions prevents it. This sort of thing appears in the logs: general: error: /etc/bind/db.empty.jnl: create: permission denied general: error: /etc/bind/db.255.jnl: create: permission denied Then bind gets an assertion failure and exits: general: notice: all zones loaded general: notice: running general: critical: rbtdb.c:6780: REQUIRE(((rbtnode->nsec == DNS_RBT_NSEC_NSEC3 && (rdataset->type == ((dns_rdatatype_t)dns_rdatatype_nsec3) || rdataset->covers == ((dns_rdatatype_t)dns_rdatatype_nsec3))) || (rbtnode->nsec != DNS_RBT_NSEC_NSEC3 && rdataset->type != ((dns_rdatatype_t)dns_rdatatype_nsec3) && rdataset->covers != ((dns_rdatatype_t)dns_rdatatype_nsec3)))) failed, back trace general: critical: #0 0x558ce49ffeed in ?? general: critical: #1 0x7fd079be6d9a in ?? general: critical: #2 0x7fd079d7f73c in ?? general: critical: #3 0x7fd079e45680 in ?? general: critical: #4 0x7fd079c1b720 in ?? general: critical: #5 0x7fd079c20f52 in ?? general: critical: #6 0x7fd07995cea7 in ?? general: critical: #7 0x7fd079590def in ?? general: critical: exiting (due to assertion failure) This repeats again and again until you work out what happened, clean everything up, remove the dnssec-policy from the options {} stanza, and restart bind. And, unless I went temporarily insane, it even managed somehow to overwrite my source zonefiles with signed versions, and I had to restore them from backup. When it works properly, it puts the signed versions in separate files. However, if you put the dnssec-policy usage directive in the zone {} stanzas instead, it's absolutely brilliant. So, go nuts. DNSSEC all the zones! Well, not *ALL* the zones. You know what I mean. :-) cheers, raf