Validating a DNSSEC installation

Hauke Lampe list+bindusers at
Sun Jun 14 03:12:31 UTC 2009

Erik Lotspeich wrote:

> I now get the AD flag when querying external validating resolvers such
> as the ones you mention.

That's good.
May your signatures never expire and your keys always be valid.

> I believe that my BIND is configured properly to be a validating
> resolver as well:
> # dig +adflag
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
> [snip]

Looks good.

> Is it normal that a validating resolver can't validate a domain it is
> authoritative for?

It could but it doesn't, as it implicitly trusts its storage backend.
Instead, you see the AA (authoritative answer) flag instead of AD.

> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

If you want BIND to check signatures and set the AD flag, you would have
to set up views, with the authoritative zones in one view and forwarding
zones in another.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the bind-users mailing list