Single nameserver doesn't show signed SOA-RRs

Stefan Foerster cite at
Thu Jun 30 18:55:22 UTC 2011

* Mark Andrews <marka at>:
> In message <20110630031511.GN14980 at>, Stefan Foerster writes:
> > * Mark Andrews <marka at>:
> > > Contact the adminstrator of the server and request that they stop
> > > disabling dnssec.  "dnssec-enable yes;" is the default for all
> > > version except 9.3.x.
> > 
> > Are you sure that has DNSSEC disabled? The admin told me
> > he had added "dnssec-enable yes;" to the named.conf file.
> But has he reloaded/reconfigured the server?
> "dig any @" shows the server has the
> signatures.
> "dig soa @ +dnssec" show that they arn't
> being returned when requested and it also shows DO being returned
> which means there is nothing stripping out the DO bit on the way
> to the server or on the way back.

You were, of course, right. The admin had reconfigured the wrong
nameserver. I apologize for the noise.


More information about the bind-users mailing list