Description of problem: After upgrading, DNSSEC-signed records are not validated, even with dnssec-validate yes. Version-Release number of selected component (if applicable): bind-9.7.4-0.1.b1.fc14.i686 How reproducible: 100% Steps to Reproduce: 1. Install latest bind, configure a recursive resolver with dnssec-validation on 2. dig www.rhybar.cz @yourserver Actual results: A record, NOERROR Expected results: No records returned, SERVFAIL Additional info: www.rhybar.cz has a deliberately incorrect DNSSEC signature. If bind is validating DNSSEC like it's supposed to, it will not return the invalid result. The fact that it's getting through even though I have dnssec & dnssec validation enabled says that there's a bug here.
I'm not able to reproduce this issue with 9.7.4-0.1.b1.fc14, named returns SERVFAIL for the rhybar.cz domain. /var/log/messages contains following lines: May 30 10:19:38 f14 named[1332]: validating @0x7ff63c3fcc70: rhybar.cz DNSKEY: no valid signature found May 30 10:19:39 f14 named[1332]: error (insecurity proof failed) resolving 'rhybar.cz/DNSKEY/IN': 194.0.13.1#53 Can you please check if your server successfully validates for example cz. domain (the "ad" flag is present in the validated response, check it via `dig @yourserver cz SOA +dnssec`)? If the response contains the ad flag then run following command: `rndc dumpdb -cache` and then attach "/var/named/data/cache_dump.db" file, please.
That's just it -- it's acting like I don't have dnssec validation on, therefore I get no ad flag for anything. My reproduction recipe is the following: # service named restart # dig +adflag @::1 -t soa cz > cz-soa # dig +adflag @::1 www.rhybar.cz > rhybar-a # rndc dumpdb -cache I'm attaching /etc/named.conf, /var/named/data/cache_dump.db, cz-soa, and rhybar-a
Created attachment 501828 [details] The named configuration file
Created attachment 501829 [details] Cache dump of the server after two queries
Created attachment 501830 [details] The results of dig +adflag @::1 -t soa cz Note that there is no ad flag.
Created attachment 501831 [details] The results of dig +adflag @::1 www.rhybar.cz Note the invalid results are returned. No error shows up in /var/log/messages
Actually bind-9.7.3-1.fc14 doesn't validate at all with your configuration as well. The named.root.key file must be included this way in named.conf: include "/etc/named.root.key"; not via "bindkeys-file" directive. If you use bindkeys-file then you must also set "dnssec-lookaside auto;" in the options {} section. Details are written in BIND9 ARM (/usr/share/doc/bind-9.7.3/arm/Bv9ARM.pdf), section 6.2.16, description of the bindkeys-file and dnssec-lookaside directives. Closing as notabug, feel free to reopen this ticket if you think something is still wrong.