How do I secure a zone with dlv.isc.org's DLV service?

Question

I'm setting up domain-lookaside validation. I think I got mostly everything correct. I followed the directions here: https://dlv.isc.org/about/using. I registered my domain and uploaded the key signing key, signed my zone with -l dlv.isc.org option, added dlv.isc.org as a foreign name server for my domain in the zone files. named fails silently. I even changed /dev/null to /var/log/named.log to squeeze some info out of named. I checked the changes were made but it didn't work I don't know what to check or try.

I'm asking 2 questions:

1. Strategies to glean info from named when it fails silently like its doing
2. Is the configuration correct. My limited understanding of DNS and DNSSEC tell me this should work

forward file:

$TTL 3600;

@ IN SOA ns1.sub.db.archives.net. dlv.isc.org. (
2014112100  ; serial
4h      ; refresh
1h      ; retry
7d      ; expiration
1h      ; minimum
)
$INCLUDE Ksub.db.archives.net.+008+07374.key
$INCLUDE Ksub.db.archives.net.+008+24586.key

        IN  NS  ns1.sub.db.archives.net.
        IN  NS  ns1.db.archives.net.
        IN  NS  dlv.isc.org.

dlv.isc.org.    IN  A   149.20.1.5
ns1.db.archives.net.    IN  A   10.103.35.66
ns1     IN  A   10.103.35.64
luke        IN  A   10.103.35.64
bo      IN  A   10.103.35.65
daisy       IN  A   10.103.35.66
sheriff     IN  A   10.103.35.67
boss        IN  A   10.103.35.68
dlv.sub.db.archives.net. 0 IN TXT "DLV:1:blablabla"

dlv.isc.org. IN DNSKEY 257 3 5 BEAAAAPHMu ...TDN0YUuWrBNh

reverse file:

$TTL 3600

@ IN SOA ns1.sub.db.archives.net. dlv.isc.org. (
2014112100  ; serial #
4h              ; refresh
1h              ; retry
7d              ; expiration
1h              ; minimum
)

                IN      NS  ns1.sub.db.archives.net.
                IN      NS  ns1.db.archives.net.
        IN  NS  dlv.isc.org.

5.1.20.149  IN  PTR dlv.isc.org.
66.35.103.10    IN  PTR ns1.db.archives.net.
64  IN  PTR ns1.sub.db.archives.net.
64  IN  PTR luke.sub.db.archives.net.
65  IN  PTR bo.sub.db.archives.net.
66  IN  PTR daisy.sub.db.archives.net.
67  IN  PTR sheriff.sub.db.archives.net.
68  IN  PTR boss.sub.db.archives.net.

dnssec-signzone command:

dnssec-signzone -l dlv.isc.org -o sub.db.archives.net -k Ksub.db.archives.net.+008+24586.key sub.db.archives.net.fwd Ksub.db.archives.net.+008+07374.key

named:

[root@test master]# service named start
Starting named:                                            [FAILED]

Answer 1

The actual file not found errors come across as fairly self-explanatory (no such files exist, I suppose?).

However, DS records live in the parent zone, alternatively DLV records live at the DLV server.

This means that your step 4 does not exist (as per the guide you linked).

Can you really not get the DS records into the parent zone instead? DLV was mostly a stopgap measure early on and should not be the first choice.

Also see In-line signing (and auto-dnssec maintain), that is generally a better option for zone signing and key management compared to calling dnssec-signzone manually.

Answer 2

1. Strategies for seeing why named fails to start:
   • Check named-checkconf -zj output. (named-checkconf as well as named-checkzone should probably be part of your regular workflow, not only for troubleshooting)
   • Check the logs. (named logs to syslog by default, see your named.conf for any logging configuration you have have that may override this)
   • If none of the above helps (unlikely), there is also the option to check which parameters you normally have in your named command line and start it manually with -g added to your normal set of parameters (this forces named to stay in the foreground and log to stderr).

2. There are numerous obvious problems with the zone data included in the question that are not in any way specific to DNSSEC or DLV. To be quite frank, I would recommend that you read up on DNS fundamentals as a first step.
   Some problems that I spotted were the following, please consult the logs and/or named-check{conf,zone}} output as well.

   • The SOA records have very unlikely RNAME values (dlv@isc.org)
   • dlv.isc.org is listed as a nameserver but I very much doubt it hosts your zones.
   • dlv.isc.org. IN A ... doesn't look like it belongs in this zone.
   • ns1.db.archives.net. IN A ... doesn't look like it belongs in this zone.
   • dlv.isc.org. IN DNSKEY ... doesn't look like it belongs in this zone.
   • 5.1.20.149 IN PTR dlv.isc.org. - Ignoring that it's written incorrectly, this is yet another record that doesn't belong.
   • 66.35.103.10 IN PTR ns1.db.archives.net. probably belongs but is written incorrectly.

(My impression from the question is that the two zones are sub.db.archives.net and 35.103.10.in-addr.arpa, which is what I've based the out-of-zone statements on. Seeing the actual configuration in addition to the zone data would confirm this.)