Re: About DNSSec-Validation=Yes and bind.keys

[Petr Menšík]

Hello Onur,

sharing your named-checkconf -p output would be a good start. bind.keys
should not be required, if your build is recent and it has new key
built-in. Please share also your BIND version.

Difference between auto and yes is, auto includes built-in keys
automatically. With yes, you have to include them yourself.

Try adding:

include "/etc/bind.keys";

to your configuration, if dnssec-validation yes; is used.

Best Regards,
Petr

On 11/12/20 11:18 AM, Onur GURSOY wrote:
> Hello Everyone,
> I have some trouble about bin9 and dnssec
> When i set dnssec-validation to auto.
> My dns server is talking with google dns server (8.8.8.8 and 8.8.4.4)
> and
> when i set to dnssec-validation to yes
> it couldn't talk with google dns server.
> i have realized, there is no pre defined bind.keys.
> I donwload it from this
> https://downloads.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11
> and i added manually but result is the same
> They didn't talk with google dns server.
> So
> where is the difference auto and yes.
> and why default bind.keys file didn't come by default
> Where is the problem.
> If you want i can provide wireshark output.
> 
> Many Many Thanks,
> With My Best Regards,
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemen...@redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB


OpenPGP_0x4931CA5B6C9FC5CB_and_old_rev.asc
Description: application/pgp-keys


OpenPGP_signature
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

About DNSSec-Validation=Yes and bind.keys

[Onur GURSOY]

Hello Everyone,
I have some trouble about bin9 and dnssec
When i set dnssec-validation to auto.
My dns server is talking with google dns server (8.8.8.8 and 8.8.4.4)
and
when i set to dnssec-validation to yes
it couldn't talk with google dns server.
i have realized, there is no pre defined bind.keys.
I donwload it from this
https://downloads.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11
and i added manually but result is the same
They didn't talk with google dns server.
So
where is the difference auto and yes.
and why default bind.keys file didn't come by default
Where is the problem.
If you want i can provide wireshark output.

Many Many Thanks,
With My Best Regards,

-- 
Onur GÜRSOY
R Engineer in Embedded Systems
Master Student at Gebze Institute Of Technology
Department Of Electronic Engineering
GSM : 0(545) 764 7653
e-mail: onurgursoyg...@gmail.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users