> I am trying to validate DNSSEC signature on ns record using dig.
> Domain nox.su is properly signed using DNSSEC. 
> I am trying to validate it as dicribed here:
> http://bryars.eu/2010/08/validating-and-exploring-dnssec-with-dig/
> $ dig +nocomments +nostats +nocmd +noquestion -t dnskey . > trusted-key.key $ 
> dig +topdown +sigchase  nox.su
> but it gives me ";; DSset is missing to continue validation: FAILED" error 
> while processing the whole hierarchy of zones.

> $ cat /etc/resolv.conf
> # Generated by NetworkManager
> domain router
> search router
> nameserver
> nameserver

Checking your two name servers, (google-public-dns-a.google.com) 
doesn't appear to offer DNSSEC validation, and (rms.coozila.com) 
doesn't respond to my query at all.

A known-good publicly accessible DNSEC-validating recursive resolver is 
available at bind.odvr.dns-oarc.net. If I run "dig @bind.odvr.dns-oarc.net 
nox.su +dnssec", I get an AD (authenticated data) flag returned for the A 
record with IPv4 address This is a prima facie indication that 
DNSSEC is working for nox.su. The "+topdown" option isn't available to me (bind 
9.9.0rc2 version of dig).

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list

Reply via email to