Multiserver dnssec

C

companyou

Verified User
Joined
Jan 29, 2013
Messages
24
Location
Tilburg, the netherlands
Yesterday, i tried using dnssec using directadmin.
After googling how it works i generated the first keys, and added them to my domains.
Now, i looked op if it was correct using http://dnsviz.net/d/budgetgamepc.nl/dnssec/ and http://dnssec-debugger.verisignlabs.com/budgetgamepc.nl
But i do get a few errors.
They are generated from the 2th server (ns10.companyou.eu).
I already tried enabling dnssec on that server too. But that didn't work.

The servers are almost identical.
Both are running Named 9.8.2rc1
with the following configuration
Code: 
options {
	//listen-on port 53 { 127.0.0.1; };
	//listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
	//allow-query     { localhost; };
	//recursion yes;

	dnssec-enable yes;
	dnssec-validation yes;
	dnssec-lookaside auto;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.iscdlv.key";

	managed-keys-directory "/var/named/dynamic";
};


The error from verisign is: ns10.companyou.eu/164.138.26.167 returns REFUSED for budgetgamepc.nl/SOA

So, i'm quite confused now, as a can view the domain in the dns panel on that server (not edit, and just the raw data as it is a dnssec enabled domain).

Can you help me?
Thanks,
Erik
 
I'm just curious:
They are generated from the 2th server (ns10.companyou.eu).
Click to expand...
Shouldn't the 2nd server have accessrights to your first server then to get queries? Something like this in your named.conf?
Code: 
        allow-transfer { 164.138.26.167; };
        allow-notify {164.138.26.167; };

Provided it's a secondary nameserver for the first server.
 
If both servers are DA servers, it's not needed on a multiserver setup, because DNS data will be transferred another way.
I have no clue, why it's working on the first and not on the second server in that case.
You might want to ask over at webhostingtalk dot nl.

I'm confused about the error about the SAO records. I presume they are the same on both servers.
 
You must log in or register to reply here.
Back
Top