Validating a DNSSEC installation

Hauke Lampe list+bindusers at hauke-lampe.de
Sun Jun 14 03:12:31 UTC 2009


Erik Lotspeich wrote:

> I now get the AD flag when querying external validating resolvers such
> as the ones you mention.

That's good.
May your signatures never expire and your keys always be valid.

> I believe that my BIND is configured properly to be a validating
> resolver as well:
> 
> # dig +adflag @ns.lotspeich.org. isc.org.
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
> [snip]

Looks good.

> Is it normal that a validating resolver can't validate a domain it is
> authoritative for?

It could but it doesn't, as it implicitly trusts its storage backend.
Instead, you see the AA (authoritative answer) flag instead of AD.

> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

If you want BIND to check signatures and set the AD flag, you would have
to set up views, with the authoritative zones in one view and forwarding
zones in another.


Hauke.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090614/9b1837a6/attachment.bin>


More information about the bind-users mailing list