Troubleshooting DNSSEC issue w/

Casey Deccio casey at
Thu Jul 18 07:58:22 UTC 2013

On Wed, Jul 17, 2013 at 10:58 AM, Bill Owens <owens at> wrote:
> This is one of the weirder ones I've seen. . . there are TXT and MX records for, both correctly signed:
> ...
> However, that NSEC3 record is not signed.

FWIW, DNSViz checks the chain of trust for authenticated
denial-of-existence, but it doesn't display it by default.  If you
select "denial of existence" from the "DNSSEC options" then you see
some errors on the left (maybe we could have it shown by default if
there are errors).

However, it seems the graph is missing corresponding red, dashed
arrows that are usually used to show when *some* servers are missing
RRSIGs--that will need to be looked into.  Because two of the servers
are returning RRSIGs for NSEC3, it does show arrows on the
authentication chain.  The rest, however, are certainly lacking


More information about the bind-users mailing list