I updated the DNS settings at my DNS provider for my domain. While all public DNS servers including the DNS resolver of my router have picked up the new settings after some hours, systemd-resolved still shows the previous (outdated) records. I already tried resolvectrl flush-cashes but it did not help. How do I debug systemd-resolved where the outdated records come from? **`systemd-resolved` Configuration**

myuser@desktop-pc ~ $ resolvectl status
Global
           Protocols: +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
    resolv.conf mode: stub
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 8.8.8.8#dns.google 1.0.0.1#cloudflare-dns.com 8.8.4.4#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2001:4860:4860::8888#dns.google 2606:4700:4700::1001#cloudflare-dns.com
                      2001:4860:4860::8844#dns.google

Link 2 (enp6s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
Current DNS Server: 192.168.178.1
       DNS Servers: 192.168.178.1
        DNS Domain: fritz.box

Link 3 (sit0)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported

**Querying "upstream" DNS servers returns correct response**

myuser@desktop-pc ~ $ dig +nocmd +nocomments +nostats +noquestion @192.168.178.1 my-domain.tld. DNSKEY my-domain.tld. DS
my-domain.tld.              3600    IN      DNSKEY  257 3 13 lwrfAkszf5Ntm0HOvMcU5Hy9mRdIcdJCePC5yiEdFzDvYP/d3/A1JfoT di4xDocD1rK7hzC3RLyC/u87Y6lRkQ==
my-domain.tld.              85456   IN      DS      48469 13 2 B2744CEE8C59AE34191B6BED6C1710364C4857F59727FC155F53A575 EADAF835
myuser@desktop-pc ~ $ dig +nocmd +nocomments +nostats +noquestion @1.1.1.1 my-domain.tld. DNSKEY my-domain.tld. DS
my-domain.tld.              3600    IN      DNSKEY  257 3 13 lwrfAkszf5Ntm0HOvMcU5Hy9mRdIcdJCePC5yiEdFzDvYP/d3/A1JfoT di4xDocD1rK7hzC3RLyC/u87Y6lRkQ==
my-domain.tld.              86400   IN      DS      48469 13 2 B2744CEE8C59AE34191B6BED6C1710364C4857F59727FC155F53A575 EADAF835
myuser@desktop-pc ~ $ dig +nocmd +nocomments +nostats +noquestion @1.0.0.1 my-domain.tld. DNSKEY my-domain.tld. DS
my-domain.tld.              3600    IN      DNSKEY  257 3 13 lwrfAkszf5Ntm0HOvMcU5Hy9mRdIcdJCePC5yiEdFzDvYP/d3/A1JfoT di4xDocD1rK7hzC3RLyC/u87Y6lRkQ==
my-domain.tld.              86400   IN      DS      48469 13 2 B2744CEE8C59AE34191B6BED6C1710364C4857F59727FC155F53A575 EADAF835

All DNS servers (incl. my local Internet router 192.168.178.1) return the correct (new) DS record. **Local stub resolver returns outdated response**

myuser@desktop-pc ~ $ dig +nocmd +nocomments +nostats +noquestion my-domain.tld. DNSKEY my-domain.tld. DS
my-domain.tld.              1627    IN      DNSKEY  257 3 13 lwrfAkszf5Ntm0HOvMcU5Hy9mRdIcdJCePC5yiEdFzDvYP/d3/A1JfoT di4xDocD1rK7hzC3RLyC/u87Y6lRkQ==
my-domain.tld.              6644    IN      DS      6769 8 2 61D117BD41CC280C4907804324B3F2B6E6810D881F1E1D1F4C0E8423 39976A70

The local stub resolver (127.0.0.53), which is built into systemd-resolved, returns the outdated DS record.

I have a DNSSEC bind server. Everything works just fine - except one little issue: Why there is no automatic ZSK rollover happening? I thought the bind will generate and install new ZSK keys every 180 days. Are my expectations incorrect or are there problems with my config? I did not found any hints in the logs. How can I debug it? I'm currently running version 9.18.24: The policy in /etc/named.conf: dnssec-policy "my_policy" { keys { ksk key-directory lifetime unlimited algorithm ecdsa256; zsk key-directory lifetime P180D algorithm ecdsa256; }; nsec3param iterations 0 optout no salt-length 0; parent-ds-ttl PT1H; }; and the output of rndc dnssec -status ..... (Why is *"No rollover scheduled"*?) key: 51503 (ECDSAP256SHA256), ZSK published: yes - since Fri Dec 9 12:11:44 2022 zone signing: yes - since Fri Dec 9 12:11:44 2022 No rollover scheduled - goal: omnipresent - dnskey: omnipresent - zone rrsig: omnipresent --- Update: I could not find a way to make an automatic rollover after the configured 180 days. So I did a manual rollover: rndc dnssec -rollover -key ... and the newly generated key has the next rollover scheduled. Hopefully that solved the problem. Maybe the policy is controlling the key only during its creation and later policy changes do not affect existing keys.

This a report of a problem I solved but I feel the solution could be useful to other. The problem appeared on a Raspbian 9.13. For some - probably hardware - reasons still to be discovered, my Raspberry pi-based router crashed and could not restart. I found it stuck on the raibow like image displayed when the Pi is just powered up. Anyway, I restarted the Pi and everything worked as usual. The only thing that did not work was Bind 9. The daemon was running but names resolution did not work. I had a look at the following help : https://dnsinstitute.com/documentation/dnssec-guide/ch05s04.html because I found weird logs in /var/log/named/dnssec.log : validating ./NS: verify failed due to bad signature (keyid=60955): RRSIG validity period has not begun One possible solution I found was that, indeed, the time was not right : The pi displayed a time a good five hours in the past. Which explained why it found RRSIG validity in the future. Thing is: it could not set its time right because it could not resolve the NTP servers name. Because name resolution did not work at all, because the time was not right.

I have a working DNSSEC name server. It runs on the BIND 9.18 on recent Fedora. I have two keys (KSK, ZSK), my parent (DNS-wise) got a valid DS record and everything is fine. Really. The DNSSEC analyzers are happy with the setup too. But then came this log message: > 'auto-dnssec' option is deprecated and will be removed in BIND 9.19. > Please migrate to dnssec-policy I don't know if and when the 9.19 will pushed to updates. But I tried to be prepared and replaced this config (in the zone block): auto-dnssec maintain; inline-signing yes; with: dnssec-policy sk_policy; inline-signing yes; and the policy itself is defined in the top level config: dnssec-policy "sk_policy" { keys { ksk key-directory lifetime unlimited algorithm ecdsa256; zsk key-directory lifetime unlimited algorithm ecdsa256; // zsk rollover postponed for later // zsk key-directory lifetime P90D algorithm ecdsa256; }; nsec3param iterations 0 optout no salt-length 0; parent-ds-ttl PT1H; }; but the server logs every 10 minutes an error: reconfiguring zone keys zone_rekey:dns_dnssec_keymgr failed: error occurred writing key to disk Google did not find anything when I searched for this error message. I tried with file permissions allowing everything in the keys directory, I tried to temporarily disable the SELinux (strict -> permissive to be precise), but no warnings were generated. Nothing helped so far. I don't know what file the server wants to write, where, what error. I also tried to remove the journal files, etc. but this is a production machine, I cannot experiment too much, so I returned everything to the original state and will stick with the version 9.18 for now. Could anybody help to get the 'dnssec-policy' working without errors? --- UPDATE #2: - I posted a summary of my experiments as an (preliminary) answer. I'm still looking for a good source of information in order to stop this trial-error experiments.

$ dnssec-keygen -a HMAC-MD5 -b 512 -n HOST {host} above results in blank line and endless waiting $ dnssec-keygen -T DNSKEY -a HMAC-MD5 -b 512 -n HOST {host} the same entropy: $ cat /proc/sys/kernel/random/entropy_avail 890 ps. I was trying to make some noise by **find /** but that brought no result

Could anybody please, enlighten me on the following messages in my logs for Bind: sync 127.in-addr.arpa(unknown command): 2 Time(s) sync domain.com(unknown command): 2 Time(s) It's neither an error nor a warning. It's all up and running OK and I see no problems anywhere. How do I fix it what is it all about? I cannot seem to google anything on it. Many thanks in advance!

Does DNSSEC require that my NS1 and NS2 stored at the registrar be authoritative, or just that they answer for the domain? Can they be non-authoritative DNS servers answer the query? Does anything specify what happens at that point in time? From the BIND DNSSEC Guide, What happens in the above circumstance if the fbi.gov name server that is written in the ns1 at the registrar is non-authoritative but has all the appropriate records?

If $IP output equal to any ip address must print 1, else must print 0. #!/bin/sh IP=$(/usr/local/bin/dig ns.ripe.net. a +short) if [ $IP = "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" ]; then echo 1 elif [ $IP != $ANY_IP ]; then echo 0 fi I need write script,which must check if "/usr/local/bin/dig ns.ripe.net. a +short" output return any ip address,should return 1,else return 0. The purpose of this script is to check dnssec. How can I denote any ip address for comparing?

I have installed dnscrypt-proxy and am using and dnssec enabled provider; however, when testing my configuration, I'm not getting back dnssec information: dig @127.0.0.1 -p 5300 weather.com +dnssec +multi ; > DiG 9.11.0-P3 > @127.0.0.1 -p 5300 weather.com +dnssec +multi ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 256 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;weather.com. IN A ;; ANSWER SECTION: weather.com. 20 IN A 23.199.61.218 ;; Query time: 112 msec ;; SERVER: 127.0.0.1#5300(127.0.0.1) ;; WHEN: Tue Mar 07 10:27:54 EST 2017 ;; MSG SIZE rcvd: 56 Any ideas?

I want to simulate the process of chain of trust validation locally , I do the following :- 1) signed my zone. 2) unbound installed , but i can not configure it for DNSSEC validation could you help ? - How can i set unbound to see and validate my zone. - How to add my ds to server ? How to set ad flag for dig queries ?

Running BIND 9.10.3-P4-RedHat-9.10.3-12.P4.fc23 and DHCP Server 4.3.3-P1. DNS Zones report no errors and appear to work (dig, nslookup, nsupdate, dnssec, rpz, etc.). DHCP starts up without complaint, assigns ip, but log file messages similar to: "Unable to add forward map from pc2.blkdiamonds.lan. to 10.0.2.63" appears for each client. I've read man pages, forum posts, dhcp-users lists and archives but I haven't been able to determine what's different in my configuration that causes the DHCP server to send the client's forward map back to the client? Any ideas will greatly be appreciated. DHCP.CONF (partial) is a follows: default-lease-time 600; max-lease-time 7200; ddns-updates on; update-static-leases on; use-host-decl-names on; ddns-update-style interim; authoritative; include "/etc/named/_blkdiamonds.ddns.update.key"; log-facility local7; ping-check true; ddns-domainname "blkdiamonds.lan."; ddns-rev-domainname "in-addr.arpa."; server-identifier roxie.blkdiamonds.lan; local-address 10.0.2.254; one-lease-per-client on; do-forward-updates true; .... shared-network benu { ignore client-updates; deny unknown-clients; # wr0 subnet 10.0.2.0 netmask 255.255.255.0 { authoritative; ignore client-updates; deny unknown-clients; ddns-domainname "blkdiamonds.lan."; ddns-rev-domainname "in-addr.arpa."; range 10.0.2.160 10.0.2.167; option broadcast-address 10.0.2.255; option domain-name-servers 10.0.2.254; option ntp-servers 10.0.2.254; option routers 10.0.2.254; option time-servers 10.0.2.254; group { host pc2-wifi.blkdiamonds.lan { hardware ethernet 88:25:2c:bc:11:1a; fixed-address 10.0.2.63; ddns-hostname "Roy-fallen-pc2-wifi"; } ... Another subnet

I have a dozen domains configured in a set of zones in BIND and I need to add a new one with DNSSEC enabled. If I enable DNSSEC: options { dnssec-enable yes; dnssec-validation yes; }; Will it break the other domains? It looks like it won't, but I want to be sure.

My notes say that the hash is supposed to securely sent and stored in parent zone so what do I do after: dnssec-keygen -a RSASHA256 -b 1024 -n ZONE mydomain.net dnssec-keygen -a RSASHA256 -b 2048 -n ZONE -f KSK mydomain.net dnssec-signzone -g -o mydomain.net -N increment -k Kmydomain.net.+008+27724 mydomain.net.rev Kmydomain.net.+008+26646 dnssec-signzone -g -o mydomain.net -N increment -k Kmydomain.net.+008+27724 mydomain.net.fwd Kmydomain.net.+008+26646 is there a command or do I get in contact with the parent domain administrator and ask them to include it?

Just trying to understand the bindkeys-file directive related to the DNSSEC extension in the Bind configuration. Is that a public key? Does it sign the response in the same way as digital signatures?