Root Zone DNSSEC Deployment Technical Status Update
Root Zone DNSSEC Deployment Technical Status Update 2010-05-05 This is the sixth of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS. ** The final transition to a signed root zone took place today ** on J-Root, between 1700--1900 UTC. ** ** All root servers are now serving a signed root zone. ** ** All root servers will now generate larger responses to DNS ** queries that request DNSSEC information. ** ** If you experience technical problems or need to contact ** technical project staff, please send e-mail to rootsign@icann.org ** or call the ICANN DNS NOC at +1 310 301 5817, e-mail preferred ** if possible. ** ** See below for more details. RESOURCES Details of the project, including documentation published to date, can be found at <http://www.root-dnssec.org/>. We'd like to hear from you. If you have feedback for us, please send it to rootsign@icann.org. DEPLOYMENT STATUS The incremental deployment of DNSSEC in the Root Zone is being carried out first by serving a Deliberately Unvalidatable Root Zone (DURZ), and subsequently by a conventionally signed root zone. Discussion of the approach can be found in the document "DNSSEC Deployment for the Root Zone", as well as in the technical presentations delivered at RIPE, NANOG, IETF and ICANN meetings. All of the thirteen root servers have now made the transition to the to the DURZ. No harmful effects have been identified. The final root server to make the transition, J-Root, started serving the DURZ in a maintenance window between 1700--1900 UTC on 2010-05-05. Initial observations relating to this transition will be presented and discussed at the DNS Working Group meeting at RIPE 60 in Prague on 2010-05-06. PLANNED DEPLOYMENT SCHEDULE Already completed: 2010-01-27: L starts to serve DURZ 2010-02-10: A starts to serve DURZ 2010-03-03: M, I start to serve DURZ 2010-03-24: D, K, E start to serve DURZ 2010-04-14: B, H, C, G, F start to serve DURZ 2010-05-05: J starts to serve DURZ To come: 2010-07-01: Distribution of validatable, production, signed root zone; publication of root zone trust anchor (Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)
Hi, I was building a test domain for trying out the dnssec. However as mentioned on various websites "ad" appears in the flags, but i can't see it. The domain i am using is not real and i am testing from the same machine, Fedora-12. Any help? Thanks options { dnssec-enable yes; dnssec-validation yes; }; [root@ns1 named-data]# dig +dnssec @localhost www ; <<>> DiG 9.6.2-P1-RedHat-9.6.2-3.P1.fc12 <<>> +dnssec @localhost www ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16601 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www. IN A ;; AUTHORITY SECTION: . 5221 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2010051600 1800 900 604800 86400 . 5221 IN RRSIG SOA 8 0 86400 20100523070000 20100516060000 55138 . KTwve6TiQ6ShXCfEcbYusFWOCsx+IwCUumBr4GnwnNq1eqs7tqQaHqkJ T/ewcvjXvRGOmHjhGRgqkdESse+/fa+tz1sSdvMsTGGI2Ba9/Fbb43Ty eqsG5cFxbqfXOpwlA4ab9IR2Vkod6genONeYO6rrm2edNwQrf56wrtJr CNM= . 5221 IN RRSIG NSEC 8 0 86400 20100523070000 20100516060000 55138 . uIgAQvJUyLjAPwb7zB8wcJ4wk++21g+iF/bJGlpvz4iUJOMwkPgqA2s/ A8W0MhxBjo7918xg6yJeqYwXB+rGG14F7UZfOBVlXIqno5/kXzi4Carh /8sulBMyHbFmVlOht5SLU230ROaI6+4o0B6IRyiP5Vzgjt00zyFu26Rg Yb8= . 5221 IN NSEC ac. NS SOA RRSIG NSEC DNSKEY ws. 5221 IN RRSIG NSEC 8 1 86400 20100523070000 20100516060000 55138 . KsvM0PTDqWt0yoJNZ4k1UGTw0UtJZxsZa17bDHAyY7w1eocZlCqGJNd8 2/WDeJMfCkM+MakJLblnixlI6QcNYV6ctrKZkNuA/iX2rwapouVYoC7G HxvBLnb5TFWkCML+fhgOWza8RmRnCTY593uBgsPtcgEfTZAzYB+QFCEP 6oI= ws. 5221 IN NSEC æµè¯. NS RRSIG NSEC ;; Query time: 11 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun May 16 11:02:43 2010 ;; MSG SIZE rcvd: 641 =============================================================== On Wed, May 5, 2010 at 2:23 PM, Joe Abley <joe.abley@icann.org> wrote:
Root Zone DNSSEC Deployment Technical Status Update 2010-05-05
This is the sixth of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.
** The final transition to a signed root zone took place today ** on J-Root, between 1700--1900 UTC. ** ** All root servers are now serving a signed root zone. ** ** All root servers will now generate larger responses to DNS ** queries that request DNSSEC information. ** ** If you experience technical problems or need to contact ** technical project staff, please send e-mail to rootsign@icann.org ** or call the ICANN DNS NOC at +1 310 301 5817, e-mail preferred ** if possible. ** ** See below for more details.
RESOURCES
Details of the project, including documentation published to date, can be found at <http://www.root-dnssec.org/>.
We'd like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.
DEPLOYMENT STATUS
The incremental deployment of DNSSEC in the Root Zone is being carried out first by serving a Deliberately Unvalidatable Root Zone (DURZ), and subsequently by a conventionally signed root zone. Discussion of the approach can be found in the document "DNSSEC Deployment for the Root Zone", as well as in the technical presentations delivered at RIPE, NANOG, IETF and ICANN meetings.
All of the thirteen root servers have now made the transition to the to the DURZ. No harmful effects have been identified.
The final root server to make the transition, J-Root, started serving the DURZ in a maintenance window between 1700--1900 UTC on 2010-05-05.
Initial observations relating to this transition will be presented and discussed at the DNS Working Group meeting at RIPE 60 in Prague on 2010-05-06.
PLANNED DEPLOYMENT SCHEDULE
Already completed:
2010-01-27: L starts to serve DURZ
2010-02-10: A starts to serve DURZ
2010-03-03: M, I start to serve DURZ
2010-03-24: D, K, E start to serve DURZ
2010-04-14: B, H, C, G, F start to serve DURZ
2010-05-05: J starts to serve DURZ
To come:
2010-07-01: Distribution of validatable, production, signed root zone; publication of root zone trust anchor
(Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)
You probably need a trust anchor as well. See http://ftp.isc.org/isc/pubs/tn/isc-tn-2006-1.html. Rubens On Sun, May 16, 2010 at 3:14 PM, itservices88 <itservices88@gmail.com> wrote:
Hi,
I was building a test domain for trying out the dnssec. However as mentioned on various websites "ad" appears in the flags, but i can't see it. The domain i am using is not real and i am testing from the same machine, Fedora-12. Any help?
Thanks
options { dnssec-enable yes; dnssec-validation yes; };
[root@ns1 named-data]# dig +dnssec @localhost www ; <<>> DiG 9.6.2-P1-RedHat-9.6.2-3.P1.fc12 <<>> +dnssec @localhost www ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16601 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www. IN A ;; AUTHORITY SECTION: . 5221 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2010051600 1800 900 604800 86400 . 5221 IN RRSIG SOA 8 0 86400 20100523070000 20100516060000 55138 . KTwve6TiQ6ShXCfEcbYusFWOCsx+IwCUumBr4GnwnNq1eqs7tqQaHqkJ T/ewcvjXvRGOmHjhGRgqkdESse+/fa+tz1sSdvMsTGGI2Ba9/Fbb43Ty eqsG5cFxbqfXOpwlA4ab9IR2Vkod6genONeYO6rrm2edNwQrf56wrtJr CNM= . 5221 IN RRSIG NSEC 8 0 86400 20100523070000 20100516060000 55138 . uIgAQvJUyLjAPwb7zB8wcJ4wk++21g+iF/bJGlpvz4iUJOMwkPgqA2s/ A8W0MhxBjo7918xg6yJeqYwXB+rGG14F7UZfOBVlXIqno5/kXzi4Carh /8sulBMyHbFmVlOht5SLU230ROaI6+4o0B6IRyiP5Vzgjt00zyFu26Rg Yb8= . 5221 IN NSEC ac. NS SOA RRSIG NSEC DNSKEY ws. 5221 IN RRSIG NSEC 8 1 86400 20100523070000 20100516060000 55138 . KsvM0PTDqWt0yoJNZ4k1UGTw0UtJZxsZa17bDHAyY7w1eocZlCqGJNd8 2/WDeJMfCkM+MakJLblnixlI6QcNYV6ctrKZkNuA/iX2rwapouVYoC7G HxvBLnb5TFWkCML+fhgOWza8RmRnCTY593uBgsPtcgEfTZAzYB+QFCEP 6oI= ws. 5221 IN NSEC æµè¯. NS RRSIG NSEC ;; Query time: 11 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun May 16 11:02:43 2010 ;; MSG SIZE rcvd: 641
=============================================================== On Wed, May 5, 2010 at 2:23 PM, Joe Abley <joe.abley@icann.org> wrote:
Root Zone DNSSEC Deployment Technical Status Update 2010-05-05
This is the sixth of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.
** The final transition to a signed root zone took place today ** on J-Root, between 1700--1900 UTC. ** ** All root servers are now serving a signed root zone. ** ** All root servers will now generate larger responses to DNS ** queries that request DNSSEC information. ** ** If you experience technical problems or need to contact ** technical project staff, please send e-mail to rootsign@icann.org ** or call the ICANN DNS NOC at +1 310 301 5817, e-mail preferred ** if possible. ** ** See below for more details.
RESOURCES
Details of the project, including documentation published to date, can be found at <http://www.root-dnssec.org/>.
We'd like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.
DEPLOYMENT STATUS
The incremental deployment of DNSSEC in the Root Zone is being carried out first by serving a Deliberately Unvalidatable Root Zone (DURZ), and subsequently by a conventionally signed root zone. Discussion of the approach can be found in the document "DNSSEC Deployment for the Root Zone", as well as in the technical presentations delivered at RIPE, NANOG, IETF and ICANN meetings.
All of the thirteen root servers have now made the transition to the to the DURZ. No harmful effects have been identified.
The final root server to make the transition, J-Root, started serving the DURZ in a maintenance window between 1700--1900 UTC on 2010-05-05.
Initial observations relating to this transition will be presented and discussed at the DNS Working Group meeting at RIPE 60 in Prague on 2010-05-06.
PLANNED DEPLOYMENT SCHEDULE
Already completed:
2010-01-27: L starts to serve DURZ
2010-02-10: A starts to serve DURZ
2010-03-03: M, I start to serve DURZ
2010-03-24: D, K, E start to serve DURZ
2010-04-14: B, H, C, G, F start to serve DURZ
2010-05-05: J starts to serve DURZ
To come:
2010-07-01: Distribution of validatable, production, signed root zone; publication of root zone trust anchor
(Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)
Thanks for hint. I also found this a useful link: https://dlv.isc.org/about/using -dani On Sun, May 16, 2010 at 11:52 AM, Rubens Kuhl <rubensk@gmail.com> wrote:
You probably need a trust anchor as well. See http://ftp.isc.org/isc/pubs/tn/isc-tn-2006-1.html.
Rubens
On Sun, May 16, 2010 at 3:14 PM, itservices88 <itservices88@gmail.com> wrote:
Hi,
I was building a test domain for trying out the dnssec. However as mentioned on various websites "ad" appears in the flags, but i can't see it. The domain i am using is not real and i am testing from the same machine, Fedora-12. Any help?
Thanks
options { dnssec-enable yes; dnssec-validation yes; };
[root@ns1 named-data]# dig +dnssec @localhost www ; <<>> DiG 9.6.2-P1-RedHat-9.6.2-3.P1.fc12 <<>> +dnssec @localhost www ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16601 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www. IN A ;; AUTHORITY SECTION: . 5221 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2010051600 1800 900 604800 86400 . 5221 IN RRSIG SOA 8 0 86400 20100523070000 20100516060000 55138 . KTwve6TiQ6ShXCfEcbYusFWOCsx+IwCUumBr4GnwnNq1eqs7tqQaHqkJ T/ewcvjXvRGOmHjhGRgqkdESse+/fa+tz1sSdvMsTGGI2Ba9/Fbb43Ty eqsG5cFxbqfXOpwlA4ab9IR2Vkod6genONeYO6rrm2edNwQrf56wrtJr CNM= . 5221 IN RRSIG NSEC 8 0 86400 20100523070000 20100516060000 55138 . uIgAQvJUyLjAPwb7zB8wcJ4wk++21g+iF/bJGlpvz4iUJOMwkPgqA2s/ A8W0MhxBjo7918xg6yJeqYwXB+rGG14F7UZfOBVlXIqno5/kXzi4Carh /8sulBMyHbFmVlOht5SLU230ROaI6+4o0B6IRyiP5Vzgjt00zyFu26Rg Yb8= . 5221 IN NSEC ac. NS SOA RRSIG NSEC DNSKEY ws. 5221 IN RRSIG NSEC 8 1 86400 20100523070000 20100516060000 55138 . KsvM0PTDqWt0yoJNZ4k1UGTw0UtJZxsZa17bDHAyY7w1eocZlCqGJNd8 2/WDeJMfCkM+MakJLblnixlI6QcNYV6ctrKZkNuA/iX2rwapouVYoC7G HxvBLnb5TFWkCML+fhgOWza8RmRnCTY593uBgsPtcgEfTZAzYB+QFCEP 6oI= ws. 5221 IN NSEC æµè¯. NS RRSIG NSEC ;; Query time: 11 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun May 16 11:02:43 2010 ;; MSG SIZE rcvd: 641
=============================================================== On Wed, May 5, 2010 at 2:23 PM, Joe Abley <joe.abley@icann.org> wrote:
Root Zone DNSSEC Deployment Technical Status Update 2010-05-05
This is the sixth of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.
** The final transition to a signed root zone took place today ** on J-Root, between 1700--1900 UTC. ** ** All root servers are now serving a signed root zone. ** ** All root servers will now generate larger responses to DNS ** queries that request DNSSEC information. ** ** If you experience technical problems or need to contact ** technical project staff, please send e-mail to rootsign@icann.org ** or call the ICANN DNS NOC at +1 310 301 5817, e-mail preferred ** if possible. ** ** See below for more details.
RESOURCES
Details of the project, including documentation published to date, can be found at <http://www.root-dnssec.org/>.
We'd like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.
DEPLOYMENT STATUS
The incremental deployment of DNSSEC in the Root Zone is being carried out first by serving a Deliberately Unvalidatable Root Zone (DURZ), and subsequently by a conventionally signed root zone. Discussion of the approach can be found in the document "DNSSEC Deployment for the Root Zone", as well as in the technical presentations delivered at RIPE, NANOG, IETF and ICANN meetings.
All of the thirteen root servers have now made the transition to the to the DURZ. No harmful effects have been identified.
The final root server to make the transition, J-Root, started serving the DURZ in a maintenance window between 1700--1900 UTC on 2010-05-05.
Initial observations relating to this transition will be presented and discussed at the DNS Working Group meeting at RIPE 60 in Prague on 2010-05-06.
PLANNED DEPLOYMENT SCHEDULE
Already completed:
2010-01-27: L starts to serve DURZ
2010-02-10: A starts to serve DURZ
2010-03-03: M, I start to serve DURZ
2010-03-24: D, K, E start to serve DURZ
2010-04-14: B, H, C, G, F start to serve DURZ
2010-05-05: J starts to serve DURZ
To come:
2010-07-01: Distribution of validatable, production, signed root zone; publication of root zone trust anchor
(Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)
I am having this problem now: # dnssec-signzone -N INCREMENT mydomain.org Verifying the zone using the following algorithms: RSASHA1. Missing RSASHA1 signature for . NSEC The zone is not fully signed for the following algorithms: RSASHA1. dnssec-signzone: fatal: DNSSEC completeness test failed. What could be wrong .... I have followed these steps: OS = centos 5.4 with bind-9.6.2-3.P1 dnssec-keygen -a RSASHA1 -b 1024 -n ZONE mydomain.org dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE mydomain.org cat Kmydomain.org.+005+*.key >> mydomain.org dnssec-signzone -N INCREMENT mydomain.org Thanks -dani On Sun, May 16, 2010 at 11:52 AM, Rubens Kuhl <rubensk@gmail.com> wrote:
You probably need a trust anchor as well. See http://ftp.isc.org/isc/pubs/tn/isc-tn-2006-1.html.
Rubens
On Sun, May 16, 2010 at 3:14 PM, itservices88 <itservices88@gmail.com> wrote:
Hi,
I was building a test domain for trying out the dnssec. However as mentioned on various websites "ad" appears in the flags, but i can't see it. The domain i am using is not real and i am testing from the same machine, Fedora-12. Any help?
Thanks
options { dnssec-enable yes; dnssec-validation yes; };
[root@ns1 named-data]# dig +dnssec @localhost www ; <<>> DiG 9.6.2-P1-RedHat-9.6.2-3.P1.fc12 <<>> +dnssec @localhost www ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16601 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www. IN A ;; AUTHORITY SECTION: . 5221 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2010051600 1800 900 604800 86400 . 5221 IN RRSIG SOA 8 0 86400 20100523070000 20100516060000 55138 . KTwve6TiQ6ShXCfEcbYusFWOCsx+IwCUumBr4GnwnNq1eqs7tqQaHqkJ T/ewcvjXvRGOmHjhGRgqkdESse+/fa+tz1sSdvMsTGGI2Ba9/Fbb43Ty eqsG5cFxbqfXOpwlA4ab9IR2Vkod6genONeYO6rrm2edNwQrf56wrtJr CNM= . 5221 IN RRSIG NSEC 8 0 86400 20100523070000 20100516060000 55138 . uIgAQvJUyLjAPwb7zB8wcJ4wk++21g+iF/bJGlpvz4iUJOMwkPgqA2s/ A8W0MhxBjo7918xg6yJeqYwXB+rGG14F7UZfOBVlXIqno5/kXzi4Carh /8sulBMyHbFmVlOht5SLU230ROaI6+4o0B6IRyiP5Vzgjt00zyFu26Rg Yb8= . 5221 IN NSEC ac. NS SOA RRSIG NSEC DNSKEY ws. 5221 IN RRSIG NSEC 8 1 86400 20100523070000 20100516060000 55138 . KsvM0PTDqWt0yoJNZ4k1UGTw0UtJZxsZa17bDHAyY7w1eocZlCqGJNd8 2/WDeJMfCkM+MakJLblnixlI6QcNYV6ctrKZkNuA/iX2rwapouVYoC7G HxvBLnb5TFWkCML+fhgOWza8RmRnCTY593uBgsPtcgEfTZAzYB+QFCEP 6oI= ws. 5221 IN NSEC æµè¯. NS RRSIG NSEC ;; Query time: 11 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun May 16 11:02:43 2010 ;; MSG SIZE rcvd: 641
=============================================================== On Wed, May 5, 2010 at 2:23 PM, Joe Abley <joe.abley@icann.org> wrote:
Root Zone DNSSEC Deployment Technical Status Update 2010-05-05
This is the sixth of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.
** The final transition to a signed root zone took place today ** on J-Root, between 1700--1900 UTC. ** ** All root servers are now serving a signed root zone. ** ** All root servers will now generate larger responses to DNS ** queries that request DNSSEC information. ** ** If you experience technical problems or need to contact ** technical project staff, please send e-mail to rootsign@icann.org ** or call the ICANN DNS NOC at +1 310 301 5817, e-mail preferred ** if possible. ** ** See below for more details.
RESOURCES
Details of the project, including documentation published to date, can be found at <http://www.root-dnssec.org/>.
We'd like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.
DEPLOYMENT STATUS
The incremental deployment of DNSSEC in the Root Zone is being carried out first by serving a Deliberately Unvalidatable Root Zone (DURZ), and subsequently by a conventionally signed root zone. Discussion of the approach can be found in the document "DNSSEC Deployment for the Root Zone", as well as in the technical presentations delivered at RIPE, NANOG, IETF and ICANN meetings.
All of the thirteen root servers have now made the transition to the to the DURZ. No harmful effects have been identified.
The final root server to make the transition, J-Root, started serving the DURZ in a maintenance window between 1700--1900 UTC on 2010-05-05.
Initial observations relating to this transition will be presented and discussed at the DNS Working Group meeting at RIPE 60 in Prague on 2010-05-06.
PLANNED DEPLOYMENT SCHEDULE
Already completed:
2010-01-27: L starts to serve DURZ
2010-02-10: A starts to serve DURZ
2010-03-03: M, I start to serve DURZ
2010-03-24: D, K, E start to serve DURZ
2010-04-14: B, H, C, G, F start to serve DURZ
2010-05-05: J starts to serve DURZ
To come:
2010-07-01: Distribution of validatable, production, signed root zone; publication of root zone trust anchor
(Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)
I have these in named.conf dnssec-enable yes; dnssec-validation yes; // dnssec-lookaside "." trust-anchor "DLV.ISC.ORG"; With the trust-anchor uncommented, as soon as i enable and reload bind, dig gives timeout, while dig has no issues with first two commands enabled. -dani On Thu, May 20, 2010 at 8:53 AM, <Valdis.Kletnieks@vt.edu> wrote:
On Thu, 20 May 2010 08:33:47 PDT, itservices88 said:
I am having this problem now:
# dnssec-signzone -N INCREMENT mydomain.org Verifying the zone using the following algorithms: RSASHA1. Missing RSASHA1 signature for . NSEC
Missing trust anchor?
On 2010-05-20, at 12:18, itservices88 wrote:
I have these in named.conf
dnssec-enable yes; dnssec-validation yes; // dnssec-lookaside "." trust-anchor "DLV.ISC.ORG"; With the trust-anchor uncommented, as soon as i enable and reload bind, dig gives timeout, while dig has no issues with first two commands enabled.
You should probably take these questions to the bind-users list, where there are many people who will help you. See <https://lists.isc.org/mailman/listinfo>. Configuring DLV is quite possibly not what you want in this instance. Joe
Is there any specific dnssec mailing list, which might be more helpful. Thanks -dani On Thu, May 20, 2010 at 8:53 AM, <Valdis.Kletnieks@vt.edu> wrote:
On Thu, 20 May 2010 08:33:47 PDT, itservices88 said:
I am having this problem now:
# dnssec-signzone -N INCREMENT mydomain.org Verifying the zone using the following algorithms: RSASHA1. Missing RSASHA1 signature for . NSEC
Missing trust anchor?
On Thu, 20 May 2010 09:19:44 PDT, itservices88 said:
Is there any specific dnssec mailing list, which might be more helpful.
https://lists.dns-oarc.net/mailman/listinfo/dns-operations (Unless I've fat-fingered it and it's elsewhere?)
Is there any specific dnssec mailing list, which might be more helpful.
DNSSEC Deployment <dnssec-deployment@dnssec-deployment.org> http://www.dnssec-deployment.org/ steve
participants (6)
-
itservices88 -
Joe Abley -
Joe Abley -
Rubens Kuhl -
Steven G. Huter -
Valdis.Kletnieks@vt.edu