Re: [DNSOP] Unexpected REFUSED from BIND when using example config from RFC7706

David Conrad <drc@virtualized.org> Fri, 07 April 2017 00:05 UTC

Return-Path: <drc@virtualized.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3788F128854 for <dnsop@ietfa.amsl.com>; Thu, 6 Apr 2017 17:05:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=virtualized-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v5e7AgAqbEHK for <dnsop@ietfa.amsl.com>; Thu, 6 Apr 2017 17:05:28 -0700 (PDT)
Received: from mail-pg0-x231.google.com (mail-pg0-x231.google.com [IPv6:2607:f8b0:400e:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DA281296C3 for <dnsop@ietf.org>; Thu, 6 Apr 2017 17:05:26 -0700 (PDT)
Received: by mail-pg0-x231.google.com with SMTP id 81so49650199pgh.2 for <dnsop@ietf.org>; Thu, 06 Apr 2017 17:05:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=virtualized-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:message-id:in-reply-to:references:subject :mime-version; bh=m4yUef7owAaKw8unKx67ZlJ24XnkkzvT9f1kTOwjoEM=; b=qbzAQW+ej8WNnc+Xn6FnKoUvT4Jsu6LwnxxFopRGy9U+0tP9J5+Q7hiIfn50av7vZf HetU7/j7SafVWoc+f1FxQp6VdJA/2ZQvOouwzRGnPf0hgQQf0onCa3ZlYNGWyTDGE4cL uK/YlfS7YaSmvhJzcqOmCwbX/20dhD/jeFrsn687v4eQbekfV7nfCGCTHIcnwbRxpg/s FMp7RjGU2yivJaTZ4z7e76/m0ch+foECyYHZfdSGaMFuoKr0q5ep6MyumOVmuFCDb0ID uHk425qTgv/xZZ/npJJH1+KDBtRughqPX75y6AxID75DjBYbje36YKUMHSh5BUymsW9l tLdQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:message-id:in-reply-to :references:subject:mime-version; bh=m4yUef7owAaKw8unKx67ZlJ24XnkkzvT9f1kTOwjoEM=; b=S9BiHyKhZZ6Ht9AxGGouScCwDgz+OF5jIpM0A/+vqAERqfmoOFMjxluc0x0r0AnpzQ DQEIHLpmxsV5esreKQY+9iIR8Vpu3w/icPhf2AgwCOEOhLj5SVCB7UpOSg2IOUMsjabJ dJivDC9HEuyl1CeLwgfd/b3HUZhKcnrEgZtXKgVN1Qn7ddROSBBZ8FUzcWcrq8jfIbay n3I2pc1sAw/hsHKa3WUiaZbPU16rz5vu9b9r6+7f0wds/nJejM9GS7zhriRmR+j6bspi N+kmUXbTell06ggPcuiXpjTl2BYjbz5QFvCXm9e9Rt+I5hKXoVIxmJ+oD5jPLqMX1vho C4Sg==
X-Gm-Message-State: AFeK/H1UJL3zGOhtdw6TXIrA8YQxx9OlNF4G9PtX+uo1d2BWfSxiMvyP6CBaryp/JMCYNw==
X-Received: by 10.84.204.136 with SMTP id b8mr45085870ple.176.1491523525887; Thu, 06 Apr 2017 17:05:25 -0700 (PDT)
Received: from [172.10.3.106] ([202.65.34.7]) by smtp.gmail.com with ESMTPSA id r73sm5675167pfe.19.2017.04.06.17.05.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 06 Apr 2017 17:05:24 -0700 (PDT)
Date: Thu, 6 Apr 2017 13:53:25 -1000
From: David Conrad <drc@virtualized.org>
To: =?utf-8?Q?Bj=C3=B8rn_Mork?= <bjorn@mork.no>, Paul Vixie <paul@redbarn.org>
Cc: Tony Finch <dot@dotat.at>, dnsop@ietf.org
Message-ID: <6ac82154-9990-4f20-9d38-090df7a3e098@Spark>
In-Reply-To: <58E63559.1030608@redbarn.org>
References: <87inmhrjpx.fsf@miraculix.mork.no> <alpine.DEB.2.11.1704061226310.17574@grey.csi.cam.ac.uk> <87pogppwn0.fsf@miraculix.mork.no> <58E63559.1030608@redbarn.org>
X-Readdle-Message-ID: 6ac82154-9990-4f20-9d38-090df7a3e098@Spark
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="58e6d7c0_643c9869_12065"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/9CYN6t_LwUse-aKtjZZvnU7U0bc>
Subject: Re: [DNSOP] Unexpected REFUSED from BIND when using example config from RFC7706
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Apr 2017 00:05:31 -0000

On Apr 6, 2017, 2:32 AM -1000, Paul Vixie <paul@redbarn.org>rg>, wrote:

> if you want to run yeti-style, there are some perl scripts that will
> fetch and verify the root zone, edit the apex NS and DNSKEY RRsets,
> re-sign with your local key, and give you a zone you can run on several
> servers inside your internal network, such that you can point your
> "hints" and your dnssec anchor at servers you control, for all your
> internal-network recursives,

Not so sure this is something I'd go about recommending to pretty much anyone other than hardcore, very experienced DNS/DNSSEC protocol geeks since it pretty much defeats the purpose of DNSSEC (edit the apex? ugh) and requires all relying devices to configure a "non-default" trust anchor or suffer SERVFAILs.

Regards,
-drc