DNSSEC ISSUE (Msg: Request is not signed)

Mark Andrews Mark_Andrews at isc.org
Sat Jul 14 06:55:27 UTC 2007

> Since nobody else has answered, I'm going to take a stab at this.
> It sounds like you're not using TSIG signatures in your requests,  
> thus causing the "request is not signed" messages. TSIG is a good  
> infrastructure element to use when deploying DNSSEC.
> Regarding the AD flag, I can't say for sure of course, but it sounds  
> like dig simply doesn't display it. Try looking at raw packets; if  
> you look at the header in binary, is the AD flag set? I believe it's  
> around the 13th-15th bit of the DNS header - look online for a bit  
> map of the DNS header to get the exact location.
> Chris Buxton
> Men & Mice

	Auth servers don't have to set "ad" when responding.  Named
	does no crypto validation when answering from authoritative

	Workarounds are to use a recursion-only view.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list