The DLV registry “dlv.isc.org” has been shutdown. It is now a empty zone answer which answers with NXDOMAIN
for anyone that still has a dnssec-lookaside clause that pointed to in named.conf or the equivalent in other
name servers. "dnssec-lookaside auto;” and “dnssec-lookaside . dlv.isc.org;” are both rejected by modern
versions of BIND.
Use 'dnssec-validation auto;’ if you are on the Internet. Use ‘dnssec-validation yes;’ if you
are on a disconnected network.
Some record that should have been at the zone’s apex (name) wasn’t. Either you passed the wrong
zone name to dnssec-verify or you have put records in the wrong place in the zone.

e.g.

DNSKEY, SOA and NSEC3PARAM records should only be at the top of a zone.
NS records exist at top and they define the bottom of a zone.
DS records should only exist at the NS records that define bottom of zone and
never at the zone’s apex nor in the middle of a zone.

On 21 Jan 2019, at 13:49, Mark Andrews <***@isc.org> wrote:

Thanks for the info on the first two questions.
OK, named-checkzone returns "OK" but the dnssec-verify complains about not at top of zone.

Ah, wait, no, I was doing it wrong.

Now both commands return success, but after reloading bind and trying to query localhost for the DNSEC information it returns nothing.

I then removed "auto-dnssec maintain" and "inline-signing yes" from the zone record in name.conf and now everything is behaving as expected when I query localhost for the DNSSEC info. (I know this is not complete until I update the records at the registrar, but I am not ready to do that).

Which brings up one more question, what sort of maintenance/renewal process do I need to implement, if any? Once the zone is signed I assume that signature expires at some point. when I edit the conf file, I will have to manually regenerate the sonf.signed file since I had to remove "auto-dnssec maintain", yes?

I should have said, I have update-policy local; in the zone record, but if I add "inline-signing yes;" and/or "auto-dnssec allow;" then the query fails.

I have the following snippet in my named.conf and it works great:

zone "boat" {
type master;
file "zone/boat";
update-policy local;
auto-dnssec maintain;
notify no;
};

This is a "fake TLD" for "boat" that I maintain locally (on my boat).

It is DNSSEC signed, updates signatures automatically (as needed) and is
able to be updated locally (nsupdate -l).

I created the keys using something along the lines of:

***@svlg-gateway:~# dnssec-keygen -a rsasha256 boat
Generating key pair...........+++++ ......+++++
Kboat.+008+41586
***@svlg-gateway:~# dnssec-keygen -f k -a rsasha256 boat
Generating key
pair........................................................+++++
.............................................+++++

then, making sure that the keys were in the directory specified by
key-directory option, I did an "rndc loadkeys".

With the appropriate trust anchors in place, data in the zone validates.

Does this help at all? If not, can you be a bit more detailed in the
problem you are trying to solve?

AlanC

Everything appears to be working locally at this point, including with "auto-dnssec maintain;" which I swear was not working a few hours ago. Perhaps I tyoped.
Just trying to get the configuration right before I go add the DNSSEC to the registrar, and also trying to understand how it is all supposed to work so I don't run into any surprises in a week or a month or a year (especially the latter, when I will have forgotten everything).

I’d like to thank everyone who helped out on this, got it all sorted, added to the registrar, and it is all working, Now to do it for all the other domains. :)