dnssec-validation to validate own authoritative zone
Summary
I have an authoritative nameserver that serves a zone, let's say it is authoritative for example.com. When I query example.com at any DNSSEC validating resolver, the ad flag is set. But, when I query example.com at my authoritative nameserver, the ad flag is not set.
Is this a bug or intended behavior?
BIND version used
BIND 9.16.11 (Stable Release) <id:9ff601b>
running on FreeBSD amd64 12.2-STABLE FreeBSD 12.2-STABLE r369178
built by make with '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr' '--with-readline=-L/usr/local/lib -ledit' '--with-dlz-filesystem=yes' '--enable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python' '--disable-querytrace' '--enable-tcp-fastopen' '--disable-symtable' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.2' 'build_alias=amd64-portbld-freebsd12.2' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
compiled by CLANG FreeBSD Clang 10.0.1 (git@github.com:llvm/llvm-project.git llvmorg-10.0.1-0-gef32c611aa2)
compiled with OpenSSL version: OpenSSL 1.1.1h-freebsd 22 Sep 2020
linked to OpenSSL version: OpenSSL 1.1.1i-freebsd 8 Dec 2020
compiled with libuv version: 1.40.0
linked to libuv version: 1.40.0
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.15
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
compiled with protobuf-c version: 1.3.2
linked to protobuf-c version: 1.3.2
threads support is enabled
default paths:
named configuration: /usr/local/etc/namedb/named.conf
rndc configuration: /usr/local/etc/namedb/rndc.conf
DNSSEC root key: /usr/local/etc/namedb/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/pid
named lock file: /var/run/named/named.lock
Steps to reproduce
Set up authoritative nameserver with dnssec-validation auto;
or dnssec-validation yes;
.
Sign zone with OpenDNSSEC. Let bind read the signed zone file:
zone "example.com" {
type master;
file "signed/example.com";
};
What is the current bug behavior?
Using dig
and/or drill
to query the local nameserver.
I also queried denic.de as a reference.
dig @localhost denic.de
Ad Flag is set.
dig @localhost example.com
Ad Flag is not set.
versus:
dig @8.8.8.8 denic.de
Ad Flag is set.
dig @8.8.8.8 example.com
Ad Flag is set.
What is the expected correct behavior?
When executing dig @localhost example.com
, the Ad Flag should be set.