Re: DNSSEC patch for BIND
lentferj schrieb:
> Attached is a patch that *should* enable DNSSEC support in BIND and all
> related tools (e.g. dig). According to what I could find out looking at
> the
> original tarball release from ISC, defining OPENSSL and liking to
> libcrypto
> should be sufficient, but unfortunatley I have to little knowledge about
> DNSSEC that I can actually set up a test environment to check if it is
> really working. Maybe someone can jump in here.
Ok, I managed to set up an authoritive BIND server with a signed zone
for my local network and a forwareder on a second machine following
http://www.nlnetlabs.nl/publications/dnssec_howto/index.html.
The output from a query is attached at the bottom.
As I was doing many mistakes during the setup that ended up in error
messages like "DS: authvalidated: got no valid KEY", "SERVFAIL" and
"ignoring trusted key for 'xx.xx': no crypto support" and I finally got
it working, I am 99% sure that dnssec is enabled correctly by this patch.
I am going to commit the patch in the next few hours.
Jan
atom# dig @10.94.76.10 +dnssec +multiline epia.lan.net
; <<>> DiG 9.5.2-P1 <<>> @10.94.76.10 +dnssec +multiline epia.lan.net
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 339
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;epia.lan.net. IN A
;; ANSWER SECTION:
epia.lan.net. 604610 IN A 10.94.76.3
epia.lan.net. 604610 IN RRSIG A 5 3 604800 20100216094733 (
20100117094733 8880 lan.net.
xet9rg0HEgDUQgENSspy6AGs5N3Zwk5V33H6nzfb5igj
kN60+yxHPgNX5fyVnFq90yvlkiNWN7z8heF60g5xEe8X
6mqfolhrmV7tHyIjI4U5ieyTSUwCFGH25K8G54/4Ql/a
5mk0dTgH5yC5cTFs4I3BjhTUnGtaYLD6uNYPQmY= )
;; AUTHORITY SECTION:
lan.net. 604610 IN NS epia.lan.net.
lan.net. 604610 IN RRSIG NS 5 2 604800 20100216094733 (
20100117094733 8880 lan.net.
rSYA6HALFeomfTHm4RJj8oTLC5+qxTWNicc3+OJmWGMI
shV7RIAzudbTR5qIPoDHTlCbG2aSeXq66uv1Of6xSb5v
UqcXZiu0AN8H0/NHyNZFvi6n2rg01ydJ1AYHk0P3AayZ
PbC4uhsyZKUTcUnYj6s8JCkxx2SDZ5ykIHzQ/1I= )
;; Query time: 1 msec
;; SERVER: 10.94.76.10#53(10.94.76.10)
;; WHEN: Sun Jan 17 14:09:49 2010
;; MSG SIZE rcvd: 405
討論串 (同標題文章)