Hi Leen, On 05/20/2015 12:32 PM, Leen Besselink wrote: >> # these failed: >> dig @ns1.desec.io +dnssec +norec desec.io DNSKEY >> dig @ns1.desec.io +dnssec +norec desec.io A >> >> Here is a working example with an RRSIG for the DNSKEY query: [...] > As we can see, no RRSIG-record on your domain, my guess would be the > transfered domain isn't properly signed before it's transfered: > > $ dig +dnssec +norec @ns1.desec.io desec.io DNSKEY [...] > I would try the same query on the hidden master first.
I did try that, and when I query the hidden master, in fact I do get the RRSIG records for free. Why is that not the case for the slaves? I made the hidden master available at desec.io temporarily -- so, compare dig +dnssec +norec @desec.io desec.io A dig +dnssec +norec @ns1.desec.io desec.io A This really confuses me. Best, Peter
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
