Hi,
Maybe I'm getting something wrong here, but as far as I understand, when I
enable dnssec and dnssec-validation and have a zone with a trusted-key, bind
should not answer to requests for bad dnssec signatures.
This is my config:
trusted-keys {
org. 257 3 7
Hanno Böck wrote:
dig baddata-A.test.dnssec-tools.org @localhost
There is no DS record for dnssec-tools.org in .org (chain of trust is
broken), so you can't validate the response -- thus the data being
passed back to you.
AlanC
___
bind-users
Am Mittwoch 25 November 2009 schrieb Alan Clegg:
There is no DS record for dnssec-tools.org in .org (chain of trust is
broken), so you can't validate the response -- thus the data being
passed back to you.
Ok, that explains it.
Are there any example domains with known-broken dnssec records
Hanno Böck wrote:
Am Mittwoch 25 November 2009 schrieb Alan Clegg:
There is no DS record for dnssec-tools.org in .org (chain of trust is
broken), so you can't validate the response -- thus the data being
passed back to you.
Ok, that explains it.
Are there any example domains with
Or one could use DLV to provide the trust linkage.
dnssec-tools.org.dlv.isc.org. 3499 IN DLV 54556 5 1
11A4026F4E09B1C106AAF3AC81A37AA537B8A3E6
dnssec-tools.org.dlv.isc.org. 3499 IN DLV 54556 5 2
6B026928292D452A5CC37B3EF327F27F50A29936CB31E664EB066D71 A476E282
--
Mark Andrews,
In message 200911252202.napm2asg000...@drugs.dv.isc.org, Mark Andrews writes:
Or one could use DLV to provide the trust linkage.
dnssec-tools.org.dlv.isc.org. 3499 IN DLV 54556 5 1
11A4026F4E09B1C106AAF3AC81A37AA537B8A3E6
dnssec-tools.org.dlv.isc.org. 3499 IN DLV 54556 5 2
6 matches
Mail list logo