how can i recognize dnssec servers

Paul Wouters paul at
Wed Apr 25 16:52:48 UTC 2012

On Wed, 25 Apr 2012, William SAMEN wrote:

> Hi, all Bind'ers
> i'm just trying to write a bash script which allow me to collect a list of zones which are signed with dnssec by giving a file of request in argument.
> So my problem is that i  created my personnal DNS with 3 signed zones when i'm testing all is good but when i made a dig +dnssec on domain (for example) my dns server didn't return me a RRSIG in the answer section is it ok?
> Did you think i had a mistake on my named configuration? recursion is working very well but
> how can i do to know that a zone or domain has been signed? a dig +dnssec is the best or the only way to know that?

Assuming your system uses a DNSSEC configured resolver with the root
key , and with "signed" you really mean "secure" (that is with a DS or
DLV trust path), you can use:

[paul at thinkpad ~]$ dig +dnssec|grep flags |grep "ad;"
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 7
[paul at thinkpad ~]$ echo $?
[paul at thinkpad ~]$ dig +dnssec|grep flags |grep "ad;"
[paul at thinkpad ~]$ echo $?

> Thank's for your help!!!
> William Thierry SAMEN
> _______________________________________________
> Please visit to unsubscribe from this list
> bind-users mailing list
> bind-users at

More information about the bind-users mailing list