DNSSEC ISSUE (Msg: Request is not signed)
Mark Andrews
Mark_Andrews at isc.org
Sat Jul 14 06:55:27 UTC 2007
> Since nobody else has answered, I'm going to take a stab at this.
>
> It sounds like you're not using TSIG signatures in your requests,
> thus causing the "request is not signed" messages. TSIG is a good
> infrastructure element to use when deploying DNSSEC.
>
> Regarding the AD flag, I can't say for sure of course, but it sounds
> like dig simply doesn't display it. Try looking at raw packets; if
> you look at the header in binary, is the AD flag set? I believe it's
> around the 13th-15th bit of the DNS header - look online for a bit
> map of the DNS header to get the exact location.
>
> Chris Buxton
> Men & Mice
Auth servers don't have to set "ad" when responding. Named
does no crypto validation when answering from authoritative
data.
Workarounds are to use a recursion-only view.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list