Bug 708709
Summary: | Bind no longer validates DNSSEC | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Scott Schmit <i.grok> | ||||||||||
Component: | bind | Assignee: | Adam Tkac <atkac> | ||||||||||
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||||
Severity: | urgent | Docs Contact: | |||||||||||
Priority: | unspecified | ||||||||||||
Version: | 14 | CC: | atkac, ovasik | ||||||||||
Target Milestone: | --- | ||||||||||||
Target Release: | --- | ||||||||||||
Hardware: | Unspecified | ||||||||||||
OS: | Linux | ||||||||||||
Whiteboard: | |||||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||||
Doc Text: | Story Points: | --- | |||||||||||
Clone Of: | Environment: | ||||||||||||
Last Closed: | 2011-06-01 11:10:03 UTC | Type: | --- | ||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||
Documentation: | --- | CRM: | |||||||||||
Verified Versions: | Category: | --- | |||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
Embargoed: | |||||||||||||
Attachments: |
|
Description
Scott Schmit
2011-05-29 01:08:54 UTC
I'm not able to reproduce this issue with 9.7.4-0.1.b1.fc14, named returns SERVFAIL for the rhybar.cz domain. /var/log/messages contains following lines: May 30 10:19:38 f14 named[1332]: validating @0x7ff63c3fcc70: rhybar.cz DNSKEY: no valid signature found May 30 10:19:39 f14 named[1332]: error (insecurity proof failed) resolving 'rhybar.cz/DNSKEY/IN': 194.0.13.1#53 Can you please check if your server successfully validates for example cz. domain (the "ad" flag is present in the validated response, check it via `dig @yourserver cz SOA +dnssec`)? If the response contains the ad flag then run following command: `rndc dumpdb -cache` and then attach "/var/named/data/cache_dump.db" file, please. That's just it -- it's acting like I don't have dnssec validation on, therefore I get no ad flag for anything. My reproduction recipe is the following: # service named restart # dig +adflag @::1 -t soa cz > cz-soa # dig +adflag @::1 www.rhybar.cz > rhybar-a # rndc dumpdb -cache I'm attaching /etc/named.conf, /var/named/data/cache_dump.db, cz-soa, and rhybar-a Created attachment 501828 [details]
The named configuration file
Created attachment 501829 [details]
Cache dump of the server after two queries
Created attachment 501830 [details]
The results of dig +adflag @::1 -t soa cz
Note that there is no ad flag.
Created attachment 501831 [details]
The results of dig +adflag @::1 www.rhybar.cz
Note the invalid results are returned. No error shows up in /var/log/messages
Actually bind-9.7.3-1.fc14 doesn't validate at all with your configuration as well. The named.root.key file must be included this way in named.conf: include "/etc/named.root.key"; not via "bindkeys-file" directive. If you use bindkeys-file then you must also set "dnssec-lookaside auto;" in the options {} section. Details are written in BIND9 ARM (/usr/share/doc/bind-9.7.3/arm/Bv9ARM.pdf), section 6.2.16, description of the bindkeys-file and dnssec-lookaside directives. Closing as notabug, feel free to reopen this ticket if you think something is still wrong. |