Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

DNSSEC not working, not logging with net-dns/bind-9.7.1_p2
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
slev0
n00b
n00b


Joined: 03 Nov 2010
Posts: 3
PostPosted: Wed Nov 03, 2010 3:23 am    Post subject: DNSSEC not working, not logging with net-dns/bind-9.7.1_p2 Reply with quote
I've been on Google all day, and I'm starting to give up hope.

I have named configured correctly, so far as I can tell, based on http://www.isc.org/community/blog/201007/using-root-dnssec-key-bind-9-resolvers

/etc/bind/bind.keys:
Code:
/* IANA root pubkey */

managed-keys {
        "." initial-key 257 3 8
        "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
         FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
         bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
         X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
         W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
         Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
         QxA+Uk1ihz0=";
};


/etc/bind/named.conf (relevant options only):
Code:
options {
        bindkeys-file "/etc/bind/bind.keys";
        dnssec-enable yes;
        dnssec-validation yes;
};

logging {

        channel dnssec_log {
                file "/tmp/dnssec++.log" size 20m;
                print-time yes;
                print-category yes;
                print-severity yes;
                severity debug 3;
        };
        category dnssec  { dnssec_log;  };
};


I noticed the root cache was out of date, and updated that. The master key is taken from http://data.iana.org/root-anchors/ . Nothing is ever logged to dnssec++.log, unless I enable dnssec-lookaside pointing to dlv.isc.org-- if I do that, the log fills with errors immediately, and I can't resolve a thing.

I've confirmed I can retrieve DNSKEY records and such using dig. My DNS setup-- caching/recursive plus a small, local authoritative zone --works great other than this. I'm using a configuration based closely on /usr/portage/net-dns/bind/files/named.conf-r4 . I have no idea what to do next.

Has anyone ever actually gotten DNSSEC working under Gentoo with BIND? I can't find any evidence of it anywhere.

Oh, and I'm testing with http://test.dnssec-or-not.org/ . I think the total absence of DNSSEC activity in the log is damning enough, anyway. :evil:
Back to top
View user's profile Send private message
darkphader
Veteran
Veteran


Joined: 09 May 2002
Posts: 1225
Location: Motown
PostPosted: Fri Nov 05, 2010 2:47 am    Post subject: Reply with quote
Saw your post, but sorry I've long since switched from bind to nsd and unbound (with a side trip for a couple of years through djbdns). I followed http://www.unbound.net/documentation/howto_anchor.html and DNSSEC just worked. Much simpler than I thought it would be.
_________________
WYSIWYG - What You See Is What You Grep
Back to top
View user's profile Send private message
slev0
n00b
n00b


Joined: 03 Nov 2010
Posts: 3
PostPosted: Fri Nov 05, 2010 3:19 am    Post subject: Reply with quote
darkphader wrote:
Saw your post, but sorry I've long since switched from bind to nsd and unbound (with a side trip for a couple of years through djbdns). I followed http://www.unbound.net/documentation/howto_anchor.html and DNSSEC just worked. Much simpler than I thought it would be.

The last time I checked in with Unbound, it was authoritative-only, or at least not-recursive. Can Unbound handle recursion/caching yet, or is it ever planned to? That's my primary use; so far, I'm not bothering to sign my local authority, because it's visible on this LAN and nowhere else in the world. (Or so I hope.)

I'm perfectly willing to switch at this point; BIND configuration drives me nuts. It's the Sendmail of DNS. I use it partly because employers have, so I try to keep my hand in.
Back to top
View user's profile Send private message
darkphader
Veteran
Veteran


Joined: 09 May 2002
Posts: 1225
Location: Motown
PostPosted: Fri Nov 05, 2010 3:39 am    Post subject: Reply with quote
NSD is authoritative only, Unbound is recursive, does caching.
_________________
WYSIWYG - What You See Is What You Grep
Back to top
View user's profile Send private message
slev0
n00b
n00b


Joined: 03 Nov 2010
Posts: 3
PostPosted: Fri Nov 05, 2010 3:43 am    Post subject: Reply with quote
darkphader wrote:
NSD is authoritative only, Unbound is recursive, does caching.

I will definitely check out Unbound. Thanks!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy