In message <alpine.lrh.2.03.1312201229270.18...@maplepark.com>, David Forrest writes: > On Fri, 20 Dec 2013, Steven Carr wrote: > > > On 20 December 2013 18:10, pgndev <pgnet....@gmail.com> wrote: > >> Gandi.net > >> Great support, including DNSSEC: > > > > Gandi only support DNSSEC if you host the DNS elsewhere, their DNS > > servers do not support DNSSEC. > > > > Steve > gandi.net +1 > > I transferred from NS to Gandhi in December 1998. I don't know about their > hosting of primary DNS but they do host a secondary of mine and it seems > to resolve there with an aa flag: > > ; <<>> DiG 9.10.0a1 <<>> -t rrsig @ns6.gandi.net maplepark.com +norec > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64272 > ;; flags: qr aa; QUERY: 1, ANSWER: 11, AUTHORITY: 5, ADDITIONAL: 3
You don't test for dnssec support by requesting rrsigs. Nameservers can return rrsigs without supporting dnssec. You test for dnssec support by doing a request for something else with "do=1" set (+dnssec) and seeing if rrsig, nsec/nsec3/ds records are returned along with the rest of the response. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
