DNSSEC, whitehouse, isc, and troubleshooting...

Casey Deccio casey at deccio.net
Mon Apr 18 18:17:45 UTC 2011


On Mon, Apr 18, 2011 at 11:07 AM, Evan Hunt <each at isc.org> wrote:

> On Mon, Apr 18, 2011 at 10:51:04AM -0700, John Williams wrote:
> > From my signed domain when I query www.isc.org (w/ +dnssec) I get the ad
> > flag as expected.  I don't see that flag when I query whitehouse.gov (w/
> > +dnssec) and I know that zone is signed.
> >
> > Is anyone else seeing this behavior?  Also, is there a link that
> > addresses troubleshooting or diagnosing DNSSEC based queries?
>
> My guess is you're looking at www.whitehouse.gov, which is a CNAME to
> www.whitehouse.gov.edgesuite.net, which isn't signed, so the ad flag
> is unset.  Try "dig +dnssec ns whitehouse.gov" and you should see
> the ad flag.  (Anyway, it's working for me at the moment.)
>
>
As far as DNSSEC troubleshooting tools, this alias relationship is
illustrated using DNSViz, an online analysis tool:
http://dnsviz.net/d/www.whitehouse.gov/dnssec/ .  Note that the
www.whitehouse.gov RRset is "secure", but the name it aliases is "insecure"
(no chain of trust).  Thus, the resolver (as Evan mentioned) does not set
the AD flag when queried for www.whitehouse.gov.

Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110418/3c8b488c/attachment.html>


More information about the bind-users mailing list