Hello, To be precise : bind.odvr.dns-oarc.net. validates but seems to ignore expired (but otherwise valid) signatures. unbound.odvr.dns-oarc.net. validates without ignoring expired signatures.
Kind regards, Marc Lampo Security Officer EURid vzw/asbl -----Original Message----- From: Spain, Dr. Jeffry A. [mailto:spa...@countryday.net] Sent: 05 February 2012 09:35 PM To: Nikolay Shaplov Cc: email@example.com Subject: RE: How to validate DNSSEC signed record with dig? > I am trying to validate DNSSEC signature on ns record using dig. > Domain nox.su is properly signed using DNSSEC. > I am trying to validate it as dicribed here: > http://bryars.eu/2010/08/validating-and-exploring-dnssec-with-dig/ > $ dig +nocomments +nostats +nocmd +noquestion -t dnskey . > trusted-key.key $ dig +topdown +sigchase nox.su > but it gives me ";; DSset is missing to continue validation: FAILED" error while processing the whole hierarchy of zones. > $ cat /etc/resolv.conf > # Generated by NetworkManager > domain router > search router > nameserver 188.8.131.52 > nameserver 184.108.40.206 Checking your two name servers, 220.127.116.11 (google-public-dns-a.google.com) doesn't appear to offer DNSSEC validation, and 18.104.22.168 (rms.coozila.com) doesn't respond to my query at all. A known-good publicly accessible DNSEC-validating recursive resolver is available at bind.odvr.dns-oarc.net. If I run "dig @bind.odvr.dns-oarc.net nox.su +dnssec", I get an AD (authenticated data) flag returned for the A record with IPv4 address 22.214.171.124. This is a prima facie indication that DNSSEC is working for nox.su. The "+topdown" option isn't available to me (bind 9.9.0rc2 version of dig). Jeffry A. Spain Network Administrator Cincinnati Country Day School _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list firstname.lastname@example.org https://lists.isc.org/mailman/listinfo/bind-users