Chronophage.net Blog

DNSSEC

by Nick on Jul.09, 2009, under News, Twitter

So, I discovered that .org is signed. Unfortunately, I discovered this the hard way. I think there’s a DNSSEC bug in the version of BIND that I’m running. So time to update world on Calypso. Wee!

*UPDATE*

I upgraded to BIND 9.6.0 and all appears to be well.
I followed these instructions: http://closedsrc.org/_static/dn-articles/bind9.html
and overwrote the base install. I like to live dangerously…after testing it on one or two test machines. ;)

Share and Enjoy:
  • Print
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • Blogplay
  • Reddit
  • Slashdot
  • StumbleUpon
  • Twitter
:, , ,

2 Comments for this entry

  • Alan Clegg
    July 9th, 2009 on 17:02

    Can you provide more information on the failure mode? I’m very curious.

  • nick
    July 10th, 2009 on 08:59

    Hey Alan, thanks for the response.

    I haven’t done much troubleshooting on this yet. I’m fairly sure this is a known bug in the version of BIND that I’m running (9.4.2-P2). However, it could easily be a configuration issue on my part. I basically used this as an excuse to update world, as I was running a very early version of FreeBSD 7.1. Unfortunately, the STABLE release of 7.2 seems to have the same version of BIND.

    With DNSSEC enabled, when I dig org, I get the following:

    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 50376
    ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; WARNING: recursion requested but not available

    ;; QUESTION SECTION:
    ;org. IN A

    With DNSSEC disabled, it resolves normally.

Leave a Reply

Get Adobe Flash playerPlugin by wpburn.com wordpress themes

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Blogroll

A few highly recommended websites...

    Archives

    All entries, chronologically...