dnssec validation issue
Mukund Sivaraman
muks at isc.org
Wed Aug 30 13:31:16 UTC 2017
Hi Ganga
On Thu, Aug 24, 2017 at 09:33:32AM +0600, Ganga R. Dhungyel wrote:
> With dnssec-validation turned on, resolving sites like www.icann.org
> <http://www.icann.org/> fails. The alternative is to remove validation
> which of course is not the desired solution.
Are you able to reproduce the bug with the latest stock version of BIND
9.9? 9.9.4 is very old and that branch has had numerous bugfixes since.
I'm not able to reproduce such a validation failure with 9.9.11:
[muks at jurassic bind9]$ bin/dig @127.0.0.1 -p 53000 www.icann.org
; <<>> DiG 9.9.11 <<>> @127.0.0.1 -p 53000 www.icann.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28837
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.icann.org. IN A
;; ANSWER SECTION:
www.icann.org. 3497 IN CNAME www.vip.icann.org.
www.vip.icann.org. 30 IN A 192.0.32.7
;; Query time: 464 msec
;; SERVER: 127.0.0.1#53000(127.0.0.1)
;; WHEN: Wed Aug 30 18:59:51 IST 2017
;; MSG SIZE rcvd: 80
[muks at jurassic bind9]$
Both dig and named are from BIND 9.9.11. AD bit is set indicating
validation was performed.
Mukund
More information about the bind-users
mailing list