Академический Документы
Профессиональный Документы
Культура Документы
domain "dnssec-failed.org" that is operated as a public service by Comcast. This special domain will
cause validating resolvers to purposely fail to give an answer. Give the following command at a shell
command line:
In that command, replace the string ADDRESS with the IPv4 or IPv6 address of the resolver you
operate.
If the response includes the following:
Then the resolver is doing DNSSEC validation. (The status indication of SERVFAIL here
indicates that the validation failed, which means that the validation is in fact happening.)
BIND
First check that DNSSEC validation is set in your configuration file. You should see a
line in the optionssection that says either dnssec-validation auto; or dnssec-
validation yes;. If you have dnssec-validation set to auto, you do not need to
update your software or configuration. You simply need to restart your software, using
whatever command you normally use to stop and start BIND; this will bring in the latest
trust anchors for dnssec-validation auto.
1. Update to the latest sub-version of BIND 9.9, BIND 9.10, or BIND 9.11 using
whatever method you used to install the software. If you are running BIND 9.8, it is no
longer supported software, and you need to update to BIND 9.9 or later. You want a
sub-version of at least:
BIND 9.9.10
BIND 9.10.5
BIND 9.11.1
2. In your configuration file, be sure that the options section has a line that
says dnssec-validation auto;.
3. Stop the old version of BIND and start the new version, using whatever command you
normally use to stop and start BIND.
1. Update the bind.keys file to include the new trust anchor. The bind.keys file
should be stored in the same directory that BIND's other files are created.
Alternatively, if your named.conf file has a managed-keys section that lists the
trust anchors, you can update that section. The revised file or configuration
section should contain the following:
managed-keys {
. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";