How to get AD flag
rams
bramesh80 at gmail.com
Fri Aug 2 05:48:25 UTC 2013
Thanks david,
This the response i get
dig +short rs.dns-oarc.net txt @<forwarderip>
rst.x3827.rs.dns-oarc.net.
rst.x3837.x3827.rs.dns-oarc.net.
rst.x3843.x3837.x3827.rs.dns-oarc.net.
"50.16.87.189 sent EDNS buffer size 4096"
"50.16.87.189 DNS reply size limit is at least 3843 bytes"
On Fri, Aug 2, 2013 at 11:11 AM, David Newman <dnewman at networktest.com>wrote:
> On 8/1/13 10:19 PM, rams wrote:
>
> > I have 9.7 bind installed and configured recursive. When i query
> > against forwader i am not getting AD flag but remaining answer is
> > correct for signed query. Could you please guide me how to get AD flag.
> > Already i have enabled dnssec-validation and dnssec-enabled.
>
> It's possible your forwarder has a bug that doesn't return DNSSEC
> responses (this is the case with one of our registrars' secondaries), or
> there may be a network problem.
>
> Try the dns-oarc reply size test against your forwarder:
>
> https://www.dns-oarc.net/oarc/services/replysizetest
>
> $ dig +short rs.dns-oarc.net txt @address_of_your_forwarder
>
> DNSSEC nameservers should not truncate or fragment responses, and should
> support EDNS and UDP and TCP responses. Fix any problems here first
> before doing DNSSEC debugging.
>
> You might also try querying other nameservers (e.g., Google's at
> 8.8.8.8) and check the flags there.
>
> dn
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130802/56bd5b2d/attachment.html>
More information about the bind-users
mailing list