puzzling answer of dig with +sigchase/NSEC3
Klaus.Malorny at knipp.de
Mon Nov 9 15:47:02 UTC 2009
I am playing around with a signed zone which uses NSEC3. If I try to verify a
non-existing name or a non-existing type with the "sigchase" option, I get the
;; Impossible to verify the Non-existence, the NSEC RRset can't be validated: FAILED
I then checked it with the "org" TLD (which I assume to be properly signed), and
get the same result if I issue a "dig +sigchase +trusted-key=/tmp/trustedkeys
org txt" command. I checked that in both cases, the correct NSEC3 record was
returned by named.
I would have expected to get a "SUCCESS" also, i.e. that the negative answer
could have been validated so far. Did I miss anything? For zones using NSEC,
like "se", this seems to work. Is there no full support for NSEC3 in dig yet?
BTW: I am using 9.7.0b2 with openssl support and -DDIG_SIGCHASE flag.
More information about the bind-users