I managed to walk isc dlv with only 2 servers with active dnssec above. and I quote ns1.novacrea.fr and ns1.xname.org.
it produced no problem before Le lundi 21 mars 2011 à 07:45 +0100, Torinthiel a écrit : > On 03/21/11 02:13, fakessh @ wrote: > > Yes, I bothered to redeploy new keys, fields TXT, a new signature. > > and more on a new rehabilitation isc dlv. > > > > > > I still get the same error > > > > nb : Simply debuggers dnssec still provide all kinds of resultasts > > And that's probably the main problem. Two of your nameservers have > either disabled DNSSec, or don't support it at all: > > Correct answer: > > $ dig +dnssec +norecurse +noall +answer dnskey fakessh.eu @r13151.ovh.net. > fakessh.eu. 38400 IN DNSKEY 257 3 5 > AwEAAbwO9edhHAn00RfAzMEwBdcYK1fnP16vh9BXltHrdAesHRFJ7G0l > tT4GyBgQcjFZyfk/HdHpnlDuT8fkjXphfS8= > fakessh.eu. 38400 IN DNSKEY 256 3 5 > AwEAAb1qeaah5D2pS+IcZiJiyZRA3KTgaV0/Sd8kSfzfbI3X45XZ7aLb > tIoN/kLJc2G7qAdqnSmoiN+TojG+UQeAtYE= > fakessh.eu. 38400 IN RRSIG DNSKEY 5 2 38400 > 20110419151040 20110320151040 10231 fakessh.eu. > VeCJRPlvC6gr+3f/OuMCrFQR42oQkDxJ7nTfLcJMH2XwPyvBOdR/nv55 > ZSs5wJ5Bl5CKAZjMRyWrUtM/wSGdTw== > fakessh.eu. 38400 IN RRSIG DNSKEY 5 2 38400 > 20110419151040 20110320151040 30111 fakessh.eu. > Y1DqOwGfRTxNdFruvOSalp8pVy+FWd/G+pqs+Qu4tkkLvanHcTisDSXA > JqbKvZpRrwGoL9o+5wKwPisDDqtf6g== > > > And incorrect (note missing RRSIGs): > dig +dnssec +noall +answer dnskey fakessh.eu @ns0.xname.org. > fakessh.eu. 38400 IN DNSKEY 257 3 5 > AwEAAbwO9edhHAn00RfAzMEwBdcYK1fnP16vh9BXltHrdAesHRFJ7G0l > tT4GyBgQcjFZyfk/HdHpnlDuT8fkjXphfS8= > fakessh.eu. 38400 IN DNSKEY 256 3 5 > AwEAAb1qeaah5D2pS+IcZiJiyZRA3KTgaV0/Sd8kSfzfbI3X45XZ7aLb > tIoN/kLJc2G7qAdqnSmoiN+TojG+UQeAtYE= > > dig +dnssec +noall +answer dnskey fakessh.eu @ns2.xname.org. > fakessh.eu. 38400 IN DNSKEY 256 3 5 > AwEAAb1qeaah5D2pS+IcZiJiyZRA3KTgaV0/Sd8kSfzfbI3X45XZ7aLb > tIoN/kLJc2G7qAdqnSmoiN+TojG+UQeAtYEA > fakessh.eu. 38400 IN DNSKEY 257 3 5 > AwEAAbwO9edhHAn00RfAzMEwBdcYK1fnP16vh9BXltHrdAesHRFJ7G0l > tT4GyBgQcjFZyfk/HdHpnlDuT8fkjXphfS8A > > ISC doesn't publish your DLV record, because it has to see consistent > view of your zone. And it doesn't as you have missing RRSIGS from some > nameservers. > Either convince admins to deploy DNSSec or drop those nameservers. > Then it should work. > Torinthiel > > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
signature.asc
Description: Ceci est une partie de message numériquement signée
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users