Knowledge Base ISC Main Website Ask a Question/Contact ISC
Quick Jump Menu
Categories
There are no subcategories in this category.
1 DNSSEC Validation the Easy Way

Problem: You want your recursive BIND server to perform DNSSEC validation, but you don't have much time to invest. Solution: ISC BIND 9 (in all currently supported versions at the time of this writing) contains a built-in copy of the root zone KSK (key signing…

2 Why does dig report one more record in the additional section of a query response than I am seeing?

This is not a bug, and it is not new behavior, although those newly upgrading to BIND 9.9 from earlier versions may have encountered it for the first time there. From BIND 9.9.0 and newer, dig has changed its defaults: dig now defaults to using options "+adflag"…

3 Why does BIND log messages about disabling EDNS or reducing the advertised packet size?

Question: What do these messages mean, and is there any problem that might be caused as a result? success resolving ... (query etc) ... after reducing the advertised EDNS UDP packet size to 512 octets success resolving ... (another query etc.) ... after disabling…

4 Can I extract the key tag from a DNSKEY obtained via dig?

dig +multi will show the key tag. In BIND 9.9, you can also use dig +rrcomments, and both options provide more key information than was available with 9.8.2 dig. 9.8.2: $ dig +multi isc.org DNSKEY ; <<>> DiG 9.8.2 <<>> +multi isc.org…

5 How do I display the contents of a .signed zone file in human-readable format?

BIND 9.9.0 introduced inline signing. BIND writes its backup signed zone file in raw format (this is the format in which the zone data is stored in working memory - it is faster to load/write the zone data in this format). Use named-checkzone to read the…

6 What do "no source of entropy found" or "could not open entropy source foo" mean?

The server requires a source of entropy -- i.e., random numbers -- to perform certain cryptographic operations for DNSSEC or generate keys for TSIG. These messages indicate that you have no source of entropy. On systems that use /dev/random or an equivalent…

7 Why do queries for NSEC3 records fail to return the NSEC3 record?

Although NSEC3 records are present as part of a signed DNS zone's representation (in master files and zone transfers), they are strictly metadata and cannot be queried for directly. The owner names of NSEC3 records do not form a part of the DNS domain tree.…

8 I don't get RRSIG's returned when I use "dig +dnssec" - why is this?

Most likely, the domain is not signed. If it is signed, then check whether DNSSEC has been disabled on the name server you are querying. In BIND 9, DNSSEC is enabled by default, but can be disabled with: dnssec-enable no; If this has been done, the server…