Knowledge Base ISC Main Website Ask a Question/Contact ISC
Quick Jump Menu
There are no subcategories in this category.
1 DNSSEC Validation the Easy Way

Problem: You want your recursive BIND server to perform DNSSEC validation, but you don't have much time to invest. Solution: ISC BIND 9 (in all currently supported versions at the time of this writing) contains a built-in copy of the root zone KSK (key signing…

2 Why does dig report one more record in the additional section of a query response than I am seeing?

This is not a bug, and it is not new behavior, although those newly upgrading to BIND 9.9 from earlier versions may have encountered it for the first time there. From BIND 9.9.0 and newer, dig has changed its defaults: dig now defaults to using options "+adflag"…

3 Why does BIND log messages about disabling EDNS or reducing the advertised packet size?

Question: What do these messages mean, and is there any problem that might be caused as a result? success resolving ... (query etc) ... after reducing the advertised EDNS UDP packet size to 512 octets success resolving ... (another query etc.) ... after disabling…

4 Can I extract the key tag from a DNSKEY obtained via dig?

dig +multi will show the key tag. In BIND 9.9, you can also use dig +rrcomments, and both options provide more key information than was available with 9.8.2 dig. 9.8.2: $ dig +multi DNSKEY ; <<>> DiG 9.8.2 <<>> +multi…

5 How do I display the contents of a .signed zone file in human-readable format?

BIND 9.9.0 introduced inline signing. BIND writes its backup signed zone file in raw format (this is the format in which the zone data is stored in working memory - it is faster to load/write the zone data in this format). Use named-checkzone to read the…

6 What do "no source of entropy found" or "could not open entropy source foo" mean?

The server requires a source of entropy to perform certain operations, mostly DNSSEC related. These messages indicate that you have no source of entropy. On systems with /dev/random or an equivalent, it is used by default. A source of entropy can also be…

7 Why do queries for NSEC3 records fail to return the NSEC3 record?

NSEC3 records are strictly meta data and can only be returned in the authority section. This is done so that signing the zone using NSEC3 records does not bring names into existance that do not exist in the unsigned version of the zone.

8 I don't get RRSIG's returned when I use "dig +dnssec" - why is this?

You need to ensure DNSSEC is enabled on the nameserver that you are querying. dnssec-enable yes;