testing validation

Alan Batie alan at peak.org
Wed Apr 18 17:51:26 UTC 2012

On 4/18/12 10:33 AM, Spain, Dr. Jeffry A. wrote:

> Your post is somewhat unclear to me. Querying from my bind 9.9.0 recursive resolver "dig @localhost raindrop.us +dnssec", I get an AD flag returned, suggesting that dnssec is working for raindrop.us. In your query "dig +dnssec +sigchase soa raindrop.us", is the resolver dnssec-enabled? I assume this would be one of the resolvers listed in your resolv.conf file. It appears that ns6.peak.org is not a recursive resolver. Does it have a zone file for raindrop.us?

That's somewhat reassuring in that at least the authoritative server
seems to be working, meaning it's my resolver that isn't.

Sorry about the clarity - I am working with two machines, each running
bind 9.9.0: ns6.peak.org is the test authoritative server which is
serving the test domain, raindrop.us.  I'm using another machine as a
dnssec enabled resolver to do the testing from with this named.conf:

include "/var/named/rdrop.blocks";
include "/var/named/peak.blocks";

options {
	directory "/var/named";
	pid-file "/var/run/named/pid";

        listen-on {; };
        listen-on-v6 { ::1; };

        allow-query {;
        allow-recursion {;
        allow-transfer { none; };

        dnssec-enable yes;
        dnssec-validation yes;
	masterfile-format text;

        query-source address port *;
        version "named";

managed-keys {
   "." initial-key 257 3 8
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= ";

zone "." {
  type hint;
  file "named.root";

zone "0.0.127.in-addr.arpa" {
  type master;
  file "master/localhost-reverse.db";

More information about the bind-users mailing list