Hi Luca,
This is correct: dnssec-validation auto; If you use "yes" there, then
you must supply a trust anchor. Auto is the default.
The only idea I have is this:
zone "." IN {
type hint;
file "named.ca";
};
You don't need this anymore. BIND 9.18 will automatically find the
root zones starting with built-in root zone data. I think it is
possible to break dnssec starting at the root with incorrect or old
data in the hint file. It cannot hurt anything to remove that.
Thank you,
Darren Ankney
On Fri, Jun 6, 2025 at 4:40 PM Luca vom Bruch <luca...@gmail.com> wrote:
>
> Hello!
>
> I run a server with Bind9.18 on Alma9.
>
> It acts as the nameserver for two domains. (with glue records from the
> registrar).
>
> DNSSEC is enabled but somehow outbound queries are not validated? Domains
> with dnssec do have the "ad" flag though. The local domains somehow dont have
> the ad flag.
>
> example:
>
> dig www.dnssec-failed.org +dnssec @localhost
>
> ; <<>> DiG 9.18.29 <<>> www.dnssec-failed.org +dnssec @localhost
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54441
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 1232
> ; COOKIE: ab33b7cb2be017660100000068434ae5a046bf6060941c68 (good)
> ;; QUESTION SECTION:
> ;www.dnssec-failed.org. IN A
>
> ;; ANSWER SECTION:
> www.dnssec-failed.org. 6086 IN A 68.87.109.242
> www.dnssec-failed.org. 6086 IN A 69.252.193.191
> www.dnssec-failed.org. 6086 IN RRSIG A 5 3 7200 20250621145120
> 20250604144620 44973 dnssec-failed.org.
> 6aHzJob+AUdBOyR9aErfXgtSnfE/gdQhiz1wdoZJD0lLZwhOhcD2OjA0
> ct6vQjUWkQtu6SGVhKvvNsWtI6KqFLdBUc3QbnlsO3/tDk3/Powl7gdV
> CRqnj7Ridxjwyk5xYPurcZA/6dJK48uAFZsR5hlLCxcZN9vplBhlU6jz +9w=
>
> I believe the answer should be SERVFAIL?
>
> This is my config, I have tried with "auto" and "yes".
>
> options {
> listen-on port 53 {
> any;
> };
> listen-on-v6 port 53 {
> any;
> };
> listen-on port 853 tls local-tls {
> any;
> };
> listen-on-v6 port 853 tls local-tls {
> any;
> };
> directory "/var/named";
> dump-file "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> memstatistics-file "/var/named/data/named_mem_stats.txt";
> secroots-file "/var/named/data/named.secroots";
> recursing-file "/var/named/data/named.recursing";
>
> /*
> - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
> - If you are building a RECURSIVE (caching) DNS server, you need to enable
> recursion.
> - If your recursive DNS server has a public IP address, you MUST enable access
> control to limit queries to your legitimate users. Failing to do so will
> cause your server to become part of large scale DNS amplification
> attacks. Implementing BCP38 within your network would greatly
> reduce such attack surface
> */
> recursion yes;
>
> dnssec-validation auto;
>
> managed-keys-directory "/var/named/dynamic";
> geoip-directory "/usr/share/GeoIP";
>
> pid-file "/run/named/named.pid";
> session-keyfile "/run/named/session.key";
>
> /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
> include "/etc/crypto-policies/back-ends/bind.config";
> };
>
> logging {
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> };
>
> zone "." IN {
> type hint;
> file "named.ca";
> };
>
> include "/etc/named.rfc1912.zones";
> include "/etc/named.root.key";
>
> zone "vom-bruch.com" {
> type master;
> file "/var/named/vom-bruch.com.hosts";
> allow-transfer {
> 127.0.0.1;
> localnets;
> };
> };
> zone "eloi.at" {
> type master;
> file "/var/named/eloi.at.hosts";
> allow-transfer {
> 127.0.0.1;
> localnets;
> 213.255.218.23;
> 2a00:98c7:1000:1300:6e4b:90ff:fe57:e7b1;
> };
> };
> tls local-tls {
> cert-file "/etc/letsencrypt/live/vom-bruch.com/fullchain.pem";
> key-file "/etc/letsencrypt/live/vom-bruch.com/privkey.pem";
> dhparam-file "/var/cache/bind/dhparam.pem";
> protocols { TLSv1.2; TLSv1.3; };
> ciphers
> "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256";
> prefer-server-ciphers yes;
> session-tickets no;
> };
>
> statistics-channels { inet 127.0.0.1 port 8053 ; };
>
> Any ideas?
>
> Thanks,
> Luca
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
