On 2013-01-28, at 12:14, Hauke Lampe <[email protected]> wrote: > It appears they're validating _only_ when queried with DO=1:
Yeah. > dig badsig.dnstest.hauke-lampe.de @8.8.8.8 -> status: NOERROR > dig +dnssec badsig.dnstest.hauke-lampe.de @8.8.8.8 -> status: SERVFAIL They do the right thing with CD=1, DO=1: [krill:~]% dig @8.8.8.8 badsig.dnstest.hauke-lampe.de A +dnssec +cd +noall +comments +answer ; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 badsig.dnstest.hauke-lampe.de A +dnssec +cd +noall +comments +answer ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63408 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; ANSWER SECTION: badsig.dnstest.hauke-lampe.de. 198 IN A 85.10.240.253 badsig.dnstest.hauke-lampe.de. 198 IN RRSIG A 5 4 300 20100409031244 20100310031244 46791 badsig.dnstest.hauke-lampe.de. HDJtmGW02QHyKB1H23A+wKIHrLY0qsK74a+j8E5z809BfIY3L9HnSp0e SJfblQbn5ty8t3yZg31gBPc5n3y3cg== [krill:~]% > Still no alternative to a local validating resolver but a big step in the > right direction, I think. I think so, too. Joe _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
