# DNSSEC not working, not logging with net-dns/bind-9.7.1_p2

## slev0

I've been on Google all day, and I'm starting to give up hope.

I have named configured correctly, so far as I can tell, based on http://www.isc.org/community/blog/201007/using-root-dnssec-key-bind-9-resolvers

/etc/bind/bind.keys:

```
/* IANA root pubkey */

managed-keys {

        "." initial-key 257 3 8

        "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF

         FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX

         bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD

         X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz

         W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS

         Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq

         QxA+Uk1ihz0=";

};
```

/etc/bind/named.conf (relevant options only):

```
options {

        bindkeys-file "/etc/bind/bind.keys";

        dnssec-enable yes;

        dnssec-validation yes;

};

logging {

        channel dnssec_log {

                file "/tmp/dnssec++.log" size 20m;

                print-time yes;

                print-category yes;

                print-severity yes;

                severity debug 3;

        };

        category dnssec  { dnssec_log;  };

};
```

I noticed the root cache was out of date, and updated that.  The master key is taken from http://data.iana.org/root-anchors/ .  Nothing is ever logged to dnssec++.log, unless I enable dnssec-lookaside pointing to dlv.isc.org-- if I do that, the log fills with errors immediately, and I can't resolve a thing.

I've confirmed I can retrieve DNSKEY records and such using dig.  My DNS setup-- caching/recursive plus a small, local authoritative zone --works great other than this.  I'm using a configuration based closely on /usr/portage/net-dns/bind/files/named.conf-r4 .  I have no idea what to do next.

Has anyone ever actually gotten DNSSEC working under Gentoo with BIND?  I can't find any evidence of it anywhere.

Oh, and I'm testing with http://test.dnssec-or-not.org/ .  I think the total absence of DNSSEC activity in the log is damning enough, anyway.   :Evil or Very Mad: 

----------

## darkphader

Saw your post, but sorry I've long since switched from bind to nsd and unbound (with a side trip for a couple of years through djbdns). I followed http://www.unbound.net/documentation/howto_anchor.html and DNSSEC just worked. Much simpler than I thought it would be.

----------

## slev0

 *darkphader wrote:*   

> Saw your post, but sorry I've long since switched from bind to nsd and unbound (with a side trip for a couple of years through djbdns). I followed http://www.unbound.net/documentation/howto_anchor.html and DNSSEC just worked. Much simpler than I thought it would be.

 

The last time I checked in with Unbound, it was authoritative-only, or at least not-recursive.  Can Unbound handle recursion/caching yet, or is it ever planned to?  That's my primary use; so far, I'm not bothering to sign my local authority, because it's visible on this LAN and nowhere else in the world.  (Or so I hope.)

I'm perfectly willing to switch at this point; BIND configuration drives me nuts.  It's the Sendmail of DNS.  I use it partly because employers have, so I try to keep my hand in.

----------

## darkphader

NSD is authoritative only, Unbound is recursive, does caching.

----------

## slev0

 *darkphader wrote:*   

> NSD is authoritative only, Unbound is recursive, does caching.

 

I will definitely check out Unbound.  Thanks!

----------

