testing validation

Spain, Dr. Jeffry A. spainj at countryday.net
Wed Apr 18 17:33:29 UTC 2012

> I'm testing out dnssec with bind 9.9.0's auto signing and a test domain; this appears to be working (see below, RRSIG records returned from the actual nameserver), however and attempt to validate fails with:
> # dig +dnssec +sigchase soa raindrop.us
> When I simply try to validate the root:

> # dig +dnssec +sigchase .
> ;; NO ANSWERS: no more

> # dig +dnssec @ns6.peak.org raindrop.us
> ;; WARNING: recursion requested but not available

Your post is somewhat unclear to me. Querying from my bind 9.9.0 recursive resolver "dig @localhost raindrop.us +dnssec", I get an AD flag returned, suggesting that dnssec is working for raindrop.us. In your query "dig +dnssec +sigchase soa raindrop.us", is the resolver dnssec-enabled? I assume this would be one of the resolvers listed in your resolv.conf file. It appears that ns6.peak.org is not a recursive resolver. Does it have a zone file for raindrop.us?

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

More information about the bind-users mailing list