DNSSEC, whitehouse, isc, and troubleshooting...

Eivind Olsen eivind at aminor.no
Mon Apr 18 18:13:55 UTC 2011


John Williams wrote:
> Is anyone else seeing this behavior?  Also, is there a link that addresses
> troubleshooting or diagnosing DNSSEC based queries?

One minor issue:

If I query a.gov-servers.net for the nameservers of whitehouse.org, it
returns a list of 6. If I query any of these, they give me a list of 8
(the additional two being usw5.akam.net and usw6.akam.net).

But, to the original question: I get the AD flag when I query through my
validating resolver:

[eivind at vimes ~]$ /usr/local/bin/dig +dnssec any whitehouse.gov @127.0.0.1

; <<>> DiG 9.8.0 <<>> +dnssec any whitehouse.gov @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18201
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 26, AUTHORITY: 0, ADDITIONAL: 1
...etc...

If on the other hand I ask for www.whitehouse.gov, I get a CNAME outside
of the zone, pointing to www.whitehouse.gov.edgesuite.net which is yet
another CNAME pointing to a1128.h.akamai.net. Neither of these seem to be
DNSSEC signed.

Regards
Eivind Olsen
eivind at aminor.no





More information about the bind-users mailing list