About DNSSec-Validation=Yes and bind.keys

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

About DNSSec-Validation=Yes and bind.keys

Onur GURSOY
Hello Everyone,
I have some trouble about bin9 and dnssec
When i set dnssec-validation to auto.
My dns server is talking with google dns server (8.8.8.8 and 8.8.4.4)
and 
when i set to dnssec-validation to yes
it couldn't talk with google dns server.
i have realized, there is no pre defined bind.keys.
I donwload it from this https://downloads.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11
and i added manually but result is the same
They didn't talk with google dns server.
So 
where is the difference auto and yes.
and why default bind.keys file didn't come by default
Where is the problem.
If you want i can provide wireshark output.

Many Many Thanks,
With My Best Regards,

--
Onur GÜRSOY
R&D Engineer in Embedded Systems
Master Student at Gebze Institute Of Technology
Department Of Electronic Engineering
GSM : 0(545) 764 7653
e-mail: [hidden email]

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: About DNSSec-Validation=Yes and bind.keys

Petr Mensik
Hello Onur,

sharing your named-checkconf -p output would be a good start. bind.keys
should not be required, if your build is recent and it has new key
built-in. Please share also your BIND version.

Difference between auto and yes is, auto includes built-in keys
automatically. With yes, you have to include them yourself.

Try adding:

include "/etc/bind.keys";

to your configuration, if dnssec-validation yes; is used.

Best Regards,
Petr

On 11/12/20 11:18 AM, Onur GURSOY wrote:

> Hello Everyone,
> I have some trouble about bin9 and dnssec
> When i set dnssec-validation to auto.
> My dns server is talking with google dns server (8.8.8.8 and 8.8.4.4)
> and
> when i set to dnssec-validation to yes
> it couldn't talk with google dns server.
> i have realized, there is no pre defined bind.keys.
> I donwload it from this
> https://downloads.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11
> and i added manually but result is the same
> They didn't talk with google dns server.
> So
> where is the difference auto and yes.
> and why default bind.keys file didn't come by default
> Where is the problem.
> If you want i can provide wireshark output.
>
> Many Many Thanks,
> With My Best Regards,
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: [hidden email]
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

OpenPGP_0x4931CA5B6C9FC5CB_and_old_rev.asc (9K) Download Attachment
OpenPGP_signature (677 bytes) Download Attachment