Re: DNSSEC vs netbsd-8/sparc?

To: jdbaker%consolidated.net@localhost
Subject: Re: DNSSEC vs netbsd-8/sparc?
From: Havard Eidnes <he%NetBSD.org@localhost>
Date: Fri, 17 Apr 2020 10:54:08 +0200 (CEST)

> When I tried turning on DNSSEC on the primary name server, it could no-
> longer resolve outside my own local network.  I think BIND in netbsd-7
> is considered too old to properly support current DNSSEC, so I commented
> those options out and it was again able to resolve external domains.

I think (hope!) that's inaccurate; BIND has in general had working
DNSSEC validation for a very long time.

However, NetBSD 7.0 had a /etc/namedb/bind.keys which only contained
the root DNSSEC key which is now expired (was valid until 11 jan 2019
according to https://data.iana.org/root-anchors/root-anchors.xml), so
if you start BIND with only the old root key in that file, any
attempts at doing DNSSEC validation will predictably fail.

An updated /etc/namedb/bind.keys from netbsd-7 contains also the new
root key, it was updated on the netbsd-7 branch on 2018-03-10 by the
looks of it.  If this update isn't applied to your configuration,
you'll get the failure described above.

There may of course be other problems causing this failure, but this
particular issue is easiest to sort out first.

Best regards,

- Håvard

Follow-Ups:
- Re: DNSSEC vs netbsd-8/sparc?
  - From: John D. Baker

References:
- DNSSEC vs netbsd-8/sparc?
  - From: John D. Baker

Prev by Date: wine64 (devel) and NetBSD 8.0
Next by Date: Re: Controlling pkg_rolling-replace
Previous by Thread: Re: DNSSEC vs netbsd-8/sparc?
Next by Thread: Re: DNSSEC vs netbsd-8/sparc?
Indexes:

Home | Main Index | Thread Index | Old Index