Dig fails to validate signature chains of TLD zones

Evan Hunt each at isc.org
Wed May 30 16:13:36 UTC 2012

On Wed, May 30, 2012 at 06:35:56PM +0400, Nikolay Shaplov wrote:
> I am trying to validate DNSSEC signature of top level zone using dig.

"dig +sigchase" is known to have serious flaws (that's why it's not
compiled in to BIND 9 by default).  Our long-term plan has been to rewrite
it completely.  So far other work has always had higher priority, so it
hasn't happened yet, but it will.

In the meantime (much as it pains me to admit to having been outclassed :)),
the best command-line tool I'm aware of for validating signatures is
"drill", which ships as part of Unbound (http://nlnetlabs.nl).

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list