I'm configuring a DNS Server on RHEL 6.8 with BIND 9.8.2rc1 and testing with DNSSEC with the server set up to intentionally fail DNSSEC (
www.dnssec-failed.org) shows a successful test of DNS. Some help determining the cause would be great.
When running the command below it succeeds as it should:
Code:
dig @127.0.0.1 www.isc.org A +dnssec +multiline
However, when I run the command below to intentionally get a DNSSEC failure, it also passes (status: NOERROR) when it should actually fail:
Code:
~]# dig @127.0.0.1 www.dnssec-failed.org. A
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> @127.0.0.1 www.dnssec-failed.org. A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38725
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 10
;; QUESTION SECTION:
;www.dnssec-failed.org. IN A
;; ANSWER SECTION:
www.dnssec-failed.org. 3535 IN A 69.252.193.191
www.dnssec-failed.org. 3535 IN A 68.87.109.242
;; AUTHORITY SECTION:
dnssec-failed.org. 82735 IN NS dns102.comcast.net.
dnssec-failed.org. 82735 IN NS dns103.comcast.net.
dnssec-failed.org. 82735 IN NS dns101.comcast.net.
dnssec-failed.org. 82735 IN NS dns105.comcast.net.
dnssec-failed.org. 82735 IN NS dns104.comcast.net.
;; ADDITIONAL SECTION:
dns102.comcast.net. 82735 IN A 68.87.85.132
dns102.comcast.net. 82735 IN AAAA 2001:558:1004:7:68:87:85:132
dns103.comcast.net. 82735 IN A 68.87.76.228
dns103.comcast.net. 82735 IN AAAA 2001:558:1014:c:68:87:76:228
dns105.comcast.net. 82735 IN A 68.87.72.244
dns105.comcast.net. 82735 IN AAAA 2001:558:100e:5:68:87:72:244
dns101.comcast.net. 82735 IN A 69.252.250.103
dns101.comcast.net. 82735 IN AAAA 2001:558:fe23:8:69:252:250:103
dns104.comcast.net. 82735 IN A 68.87.68.244
dns104.comcast.net. 82735 IN AAAA 2001:558:100a:5:68:87:68:244
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 1 19:48:25 2017
;; MSG SIZE rcvd: 407
Any ideas as for what the cause could be for DNSSEC to pass when it should indeed fail? I'm thinking of reconfiguring DNSSEC altogether at this point. Turning it off, then adjusting one setting at a time to determine the root cause.