Project

General

Profile

Bug #1644

DNSSEC patch for BIND

Added by lentferj over 11 years ago. Updated over 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:

Description

Attached is a patch that should enable DNSSEC support in BIND and all
related tools (e.g. dig). According to what I could find out looking at
the
original tarball release from ISC, defining OPENSSL and liking to
libcrypto
should be sufficient, but unfortunatley I have to little knowledge about
DNSSEC that I can actually set up a test environment to check if it is
really working. Maybe someone can jump in here.

Thanks in advance

Jan


Files

unnamed (6.96 KB) unnamed lentferj, 01/08/2010 10:42 AM

History

#1

Updated by lentferj over 11 years ago

lentferj schrieb:

Attached is a patch that should enable DNSSEC support in BIND and all
related tools (e.g. dig). According to what I could find out looking at
the
original tarball release from ISC, defining OPENSSL and liking to
libcrypto
should be sufficient, but unfortunatley I have to little knowledge about
DNSSEC that I can actually set up a test environment to check if it is
really working. Maybe someone can jump in here.

Ok, I managed to set up an authoritive BIND server with a signed zone
for my local network and a forwareder on a second machine following
http://www.nlnetlabs.nl/publications/dnssec_howto/index.html.

The output from a query is attached at the bottom.
As I was doing many mistakes during the setup that ended up in error
messages like "DS: authvalidated: got no valid KEY", "SERVFAIL" and
"ignoring trusted key for 'xx.xx': no crypto support" and I finally got
it working, I am 99% sure that dnssec is enabled correctly by this patch.

I am going to commit the patch in the next few hours.

Jan

atom# dig @10.94.76.10 +dnssec +multiline epia.lan.net

; <<>> DiG 9.5.2-P1 <<>> @10.94.76.10 +dnssec +multiline epia.lan.net
; (1 server found)
;; global options: printcmd
;; Got answer:
;; >>HEADER<< opcode: QUERY, status: NOERROR, id: 339
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;epia.lan.net. IN A

;; ANSWER SECTION:
epia.lan.net. 604610 IN A 10.94.76.3
epia.lan.net. 604610 IN RRSIG A 5 3 604800 20100216094733 (
20100117094733 8880 lan.net.

xet9rg0HEgDUQgENSspy6AGs5N3Zwk5V33H6nzfb5igj

kN60+yxHPgNX5fyVnFq90yvlkiNWN7z8heF60g5xEe8X

6mqfolhrmV7tHyIjI4U5ieyTSUwCFGH25K8G54/4Ql/a
5mk0dTgH5yC5cTFs4I3BjhTUnGtaYLD6uNYPQmY= )

;; AUTHORITY SECTION:
lan.net. 604610 IN NS epia.lan.net.
lan.net. 604610 IN RRSIG NS 5 2 604800 20100216094733 (
20100117094733 8880 lan.net.

rSYA6HALFeomfTHm4RJj8oTLC5+qxTWNicc3+OJmWGMI

shV7RIAzudbTR5qIPoDHTlCbG2aSeXq66uv1Of6xSb5v

UqcXZiu0AN8H0/NHyNZFvi6n2rg01ydJ1AYHk0P3AayZ
PbC4uhsyZKUTcUnYj6s8JCkxx2SDZ5ykIHzQ/1I= )

;; Query time: 1 msec
;; SERVER: 10.94.76.10#53(10.94.76.10)
;; WHEN: Sun Jan 17 14:09:49 2010
;; MSG SIZE rcvd: 405

#2

Updated by lentferj over 11 years ago

tested, works

Also available in: Atom PDF