> I'm testing out dnssec with bind 9.9.0's auto signing and a test domain; this > appears to be working (see below, RRSIG records returned from the actual > nameserver), however and attempt to validate fails with: > # dig +dnssec +sigchase soa raindrop.us > When I simply try to validate the root:
> # dig +dnssec +sigchase . > ;; NO ANSWERS: no more > # dig +dnssec @ns6.peak.org raindrop.us > ;; WARNING: recursion requested but not available Your post is somewhat unclear to me. Querying from my bind 9.9.0 recursive resolver "dig @localhost raindrop.us +dnssec", I get an AD flag returned, suggesting that dnssec is working for raindrop.us. In your query "dig +dnssec +sigchase soa raindrop.us", is the resolver dnssec-enabled? I assume this would be one of the resolvers listed in your resolv.conf file. It appears that ns6.peak.org is not a recursive resolver. Does it have a zone file for raindrop.us? Jeffry A. Spain Network Administrator Cincinnati Country Day School _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users