On Thu, 19 Jan 2012, Axel Rau wrote:
Am 18.01.2012 um 23:54 schrieb Evan Hunt:
I tried the example from page 23 with a local zone, a trusted key and
inline-signing, like:
[...]
But I'm getting no ad-flag:
That's normal; authoritative servers don't set the AD bit, validating
resolvers do. (There's not much point in having an authoritative server
validate its own answers.)
Can dig tell me, if the sigs are valid, if I provide my trusted key?
Or do I need a 2nd (validating) ns?
Axel
One needs to ask a non-authoritative validating server. For checking our
publicly available DNSSEC signed site, I use the available recursing
validating oarc server.
dig +dnssec @bind.odvr.dns-oarc.net maplepark.com
and get the flags returned in a crontab script that checks it daily for
the ad flag.
Dave
--
David Forrest e-mail drf @ maplepark.com
Maple Park Development Corporation http://xen.maplepark.com
St. Louis, Missouri
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users