Hello,<div><br></div><div> Is your recursive resolver also authoritative for <a href="http://raindrop.us">raindrop.us</a>? If so, you will not get the "ad" flag. You can test with DNS-OARC resolver [1]:</div><div>
<br></div><div><font face="'courier new', monospace"># dig +dnssec +multiline @<a href="http://149.20.64.20">149.20.64.20</a> <a href="http://raindrop.us">raindrop.us</a></font></div><div><font face="'courier new', monospace"><br>
</font></div><div><div><font face="'courier new', monospace">; <<>> DiG 9.7.3 <<>> +dnssec +multiline @<a href="http://149.20.64.20">149.20.64.20</a> <a href="http://raindrop.us">raindrop.us</a></font></div>
<div><font face="'courier new', monospace">; (1 server found)</font></div><div><font face="'courier new', monospace">;; global options: +cmd</font></div><div><font face="'courier new', monospace">;; Got answer:</font></div>
<div><font face="'courier new', monospace">;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28120</font></div><div><font face="'courier new', monospace">;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1</font></div>
<div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace">;; OPT PSEUDOSECTION:</font></div><div><font face="'courier new', monospace">; EDNS: version: 0, flags: do; udp: 4096</font></div>
<div><font face="'courier new', monospace">;; QUESTION SECTION:</font></div><div><font face="'courier new', monospace">;<a href="http://raindrop.us">raindrop.us</a>. IN A</font></div><div><font face="'courier new', monospace"><br>
</font></div><div><font face="'courier new', monospace">;; ANSWER SECTION:</font></div><div><font face="'courier new', monospace"><a href="http://raindrop.us">raindrop.us</a>. 3600 IN A 199.26.172.34</font></div>
<div><font face="'courier new', monospace"><a href="http://raindrop.us">raindrop.us</a>. 3600 IN RRSIG A 5 2 3600 20120512011136 (</font></div><div><font face="'courier new', monospace"> 20120412010327 41190 <a href="http://raindrop.us">raindrop.us</a>.</font></div>
<div><font face="'courier new', monospace"> kH5rKfIHghbsiKLTMkO6GjDtXI0Afkgl2x74K0o0AKtD</font></div><div><font face="'courier new', monospace"> lTDfsk+2pPZ/XwKj1k2jIYButqXximUjHOHQHK1bSru7</font></div>
<div><font face="'courier new', monospace"> V8DkkN7JF/wozTOiGCs777sOs90jKmaHIIMSTbNcQgtD</font></div><div><font face="'courier new', monospace"> ySqzPsd4Sn9Qp86Iykj0nvXyUeMib2bzPJ5SVBY= )</font></div>
<div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace">;; Query time: 787 msec</font></div><div><font face="'courier new', monospace">;; SERVER: 149.20.64.20#53(149.20.64.20)</font></div>
<div><font face="'courier new', monospace">;; WHEN: Wed Apr 18 14:39:45 2012</font></div><div><font face="'courier new', monospace">;; MSG SIZE rcvd: 227</font></div></div><div><br></div><div> It's working fine.</div>
<div><br></div><div>[1] - <a href="https://www.dns-oarc.net/oarc/services/odvr">https://www.dns-oarc.net/oarc/services/odvr</a></div><div><br></div><div><br></div><div>Best regards,</div><div><br></div><div><div>---------------------------------</div>
<div>Carlos Eduardo Ribas</div><div><br></div>
<br><br><div class="gmail_quote">2012/4/18 Alan Batie <span dir="ltr"><<a href="mailto:alan@peak.org">alan@peak.org</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I'm testing out dnssec with bind 9.9.0's auto signing and a test domain;<br>
this appears to be working (see below, RRSIG records returned from the<br>
actual nameserver), however and attempt to validate fails with:<br>
<br>
# dig +dnssec +sigchase soa <a href="http://raindrop.us" target="_blank">raindrop.us</a><br>
;; RRset to chase:<br>
<a href="http://raindrop.us" target="_blank">raindrop.us</a>. 987 IN SOA <a href="http://ns1.raindrop.us" target="_blank">ns1.raindrop.us</a>. <a href="http://hostmaster.rdrop.com" target="_blank">hostmaster.rdrop.com</a>.<br>
<a href="tel:2012030815" value="+12012030815">2012030815</a> 3600 3600 86400 3600<br>
<br>
<br>
<br>
Launch a query to find a RRset of type RRSIG for zone: <a href="http://raindrop.us" target="_blank">raindrop.us</a>.<br>
<br>
;; RRSIG is missing for continue validation: FAILED<br>
<br>
<br>
I have this included in the resolver's named.conf:<br>
<br>
managed-keys {<br>
"." initial-key 257 3 8<br>
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF<br>
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX<br>
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD<br>
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz<br>
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS<br>
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= ";<br>
};<br>
<br>
per <a href="https://calomel.org/dns_bind.html" target="_blank">https://calomel.org/dns_bind.html</a><br>
<br>
When I simply try to validate the root:<br>
<br>
# dig +dnssec +sigchase .<br>
;; NO ANSWERS: no more<br>
We want to prove the non-existence of a type of rdata 1 or of the zone:<br>
there is no NSEC for this zone: validating that the zone doesn't exist<br>
<br>
;; Impossible to verify the Non-existence, the NSEC RRset can't be<br>
validated: FAILED<br>
<br>
I'm not sure what to look for now...<br>
<br>
<br>
<br>
# dig +dnssec @<a href="http://ns6.peak.org" target="_blank">ns6.peak.org</a> <a href="http://raindrop.us" target="_blank">raindrop.us</a><br>
<br>
; <<>> DiG 9.9.0 <<>> +dnssec @<a href="http://ns6.peak.org" target="_blank">ns6.peak.org</a> <a href="http://raindrop.us" target="_blank">raindrop.us</a><br>
; (1 server found)<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15953<br>
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3<br>
;; WARNING: recursion requested but not available<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags: do; udp: 4096<br>
;; QUESTION SECTION:<br>
;<a href="http://raindrop.us" target="_blank">raindrop.us</a>. IN A<br>
<br>
;; ANSWER SECTION:<br>
<a href="http://raindrop.us" target="_blank">raindrop.us</a>. 3600 IN A 199.26.172.34<br>
<a href="http://raindrop.us" target="_blank">raindrop.us</a>. 3600 IN RRSIG A 5 2 3600 20120512011136 20120412010327<br>
41190 <a href="http://raindrop.us" target="_blank">raindrop.us</a>.<br>
kH5rKfIHghbsiKLTMkO6GjDtXI0Afkgl2x74K0o0AKtDlTDfsk+2pPZ/<br>
XwKj1k2jIYButqXximUjHOHQHK1bSru7V8DkkN7JF/wozTOiGCs777sO<br>
s90jKmaHIIMSTbNcQgtDySqzPsd4Sn9Qp86Iykj0nvXyUeMib2bzPJ5S VBY=<br>
<br>
;; AUTHORITY SECTION:<br>
<a href="http://raindrop.us" target="_blank">raindrop.us</a>. 3600 IN NS <a href="http://ns1.raindrop.us" target="_blank">ns1.raindrop.us</a>.<br>
<a href="http://raindrop.us" target="_blank">raindrop.us</a>. 3600 IN RRSIG NS 5 2 3600 20120512011136 20120412010327<br>
41190 <a href="http://raindrop.us" target="_blank">raindrop.us</a>.<br>
UQxIRpKV+b4opfCJx/j4oIFht8nqxpn1g0siOLI2XkxfVrnXHh17/ChT<br>
X6PH5YOrF7D3v7AUMbVo+o8glSUfk1uML8i3C8H5lD/NmujPPrIqFaO/<br>
6zCJen1q34FVunCoqfrYvYlaKHenFGsrpOl61H75ns0IjLMXSs+TRpIY GTs=<br>
<br>
;; ADDITIONAL SECTION:<br>
<a href="http://ns1.raindrop.us" target="_blank">ns1.raindrop.us</a>. 3600 IN AAAA 2607:f678::56<br>
<a href="http://ns1.raindrop.us" target="_blank">ns1.raindrop.us</a>. 3600 IN RRSIG AAAA 5 3 3600 20120512011136<br>
20120412010327 41190 <a href="http://raindrop.us" target="_blank">raindrop.us</a>.<br>
MhaOIt7D7kT8k4USk9Mpocw+tSx8WBSO/Yi+4F/YFV1ZVSXLKgYj4K4S<br>
hTjVTBD3tCQYMJY+SkArlkoQRyTk4QYrLV8CP2TvvdrUPjZUZNAEMsuk<br>
0NWsd2tLgStZ34yN0Pe1xa9P2SZjvsXJj1D1N5JNFxfS/OFCwMa9Hvcr atM=<br>
<br>
;; Query time: 253 msec<br>
;; SERVER: 2607:f678:10::53#53(2607:f678:10::53)<br>
;; WHEN: Tue Apr 17 23:29:08 2012<br>
;; MSG SIZE rcvd: 615<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div><br></div>