Validating a DNSSEC installation
list+bindusers at hauke-lampe.de
Sun Jun 14 03:12:31 UTC 2009
Erik Lotspeich wrote:
> I now get the AD flag when querying external validating resolvers such
> as the ones you mention.
May your signatures never expire and your keys always be valid.
> I believe that my BIND is configured properly to be a validating
> resolver as well:
> # dig +adflag @ns.lotspeich.org. isc.org.
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
> Is it normal that a validating resolver can't validate a domain it is
> authoritative for?
It could but it doesn't, as it implicitly trusts its storage backend.
Instead, you see the AA (authoritative answer) flag instead of AD.
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
If you want BIND to check signatures and set the AD flag, you would have
to set up views, with the authoritative zones in one view and forwarding
zones in another.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 260 bytes
Desc: OpenPGP digital signature
More information about the bind-users