return address for failed DNSSEC validation
Mark Andrews
marka at isc.org
Thu Mar 11 01:11:21 UTC 2010
Additionally you can detect a DNSSEC failure by asking
queries with and without the CD bit set.
Most DNSSEC failures can be diagnosed with dig, knowing the
current time and date and access to named.conf for the trust
anchors. There are actually easier to diagnose than most
other DNS failure issues.
Most DNSSEC failure fall into these categories:
* failure to re-sign, check the dates in the RRSIG records.
* failute to roll a key correctly. check the key id match.
dig +multi will print out the key id for KEY and DNSKEY
records.
To find the failure you ask the failing server for the records
in the trust chain until you find the break point.
record -> dnskey [ [ -> ds/dlv -> dnskey ] ..... ] -> trusted-key.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list