DragonFly BSD
DragonFly submit List (threaded) for 2010-01
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: DNSSEC patch for BIND


From: Jan Lentfer <Jan.Lentfer@xxxxxx>
Date: Sun, 17 Jan 2010 14:15:23 +0100

lentferj schrieb:
Attached is a patch that *should* enable DNSSEC support in BIND and all
related tools (e.g. dig). According to what I could find out looking at
the
original tarball release from ISC, defining OPENSSL and liking to
libcrypto
should be sufficient, but unfortunatley I have to little knowledge about
DNSSEC that I can actually set up a test environment to check if it is
really working. Maybe someone can jump in here.


Ok, I managed to set up an authoritive BIND server with a signed zone for my local network and a forwareder on a second machine following http://www.nlnetlabs.nl/publications/dnssec_howto/index.html.

The output from a query is attached at the bottom.
As I was doing many mistakes during the setup that ended up in error messages like "DS: authvalidated: got no valid KEY", "SERVFAIL" and "ignoring trusted key for 'xx.xx': no crypto support" and I finally got it working, I am 99% sure that dnssec is enabled correctly by this patch.


I am going to commit the patch in the next few hours.

Jan

atom# dig @10.94.76.10 +dnssec +multiline epia.lan.net

; <<>> DiG 9.5.2-P1 <<>> @10.94.76.10 +dnssec +multiline epia.lan.net
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 339
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;epia.lan.net.          IN A

;; ANSWER SECTION:
epia.lan.net.           604610 IN A 10.94.76.3
epia.lan.net.           604610 IN RRSIG A 5 3 604800 20100216094733 (
                                20100117094733 8880 lan.net.

xet9rg0HEgDUQgENSspy6AGs5N3Zwk5V33H6nzfb5igj

kN60+yxHPgNX5fyVnFq90yvlkiNWN7z8heF60g5xEe8X

6mqfolhrmV7tHyIjI4U5ieyTSUwCFGH25K8G54/4Ql/a
                                5mk0dTgH5yC5cTFs4I3BjhTUnGtaYLD6uNYPQmY= )

;; AUTHORITY SECTION:
lan.net.                604610 IN NS epia.lan.net.
lan.net.                604610 IN RRSIG NS 5 2 604800 20100216094733 (
                                20100117094733 8880 lan.net.

rSYA6HALFeomfTHm4RJj8oTLC5+qxTWNicc3+OJmWGMI

shV7RIAzudbTR5qIPoDHTlCbG2aSeXq66uv1Of6xSb5v

UqcXZiu0AN8H0/NHyNZFvi6n2rg01ydJ1AYHk0P3AayZ
                                PbC4uhsyZKUTcUnYj6s8JCkxx2SDZ5ykIHzQ/1I= )

;; Query time: 1 msec
;; SERVER: 10.94.76.10#53(10.94.76.10)
;; WHEN: Sun Jan 17 14:09:49 2010
;; MSG SIZE  rcvd: 405



[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]