Hi. My bind v980-p1 svr is DNSSEC-enabled, and signed zones are publishing as DNSSEC-valid.
I've both internal and external views: -- internal is authoritative and provides recursion for LAN clients -- external serves only as an authoritative hidden-primary feeding slaves via AXFR. all good. if i enable DNSSEC validation in the internal view, having imported the trusted key for the root, for known-good domains, a 'dig domain.com' returns DATA as expected, e.g., dig pir.org | egrep "IN.*A|;; flags" ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 ;pir.org. IN A pir.org. 75 IN A 173.201.238.128 dig pir.org +dnssec | egrep "IN.*A|;; flags" ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 1 ;pir.org. IN A pir.org. 95 IN A 173.201.238.128 pir.org. 95 IN RRSIG A 5 2 300 20110523085011 20110509085011 38939 pir.org. LLK3y1HXm3/F3Tvq/b/cW4jnQC6gxtYlalPhM28w3tUzo2wS482vaWQr RF1DBvGTUD4uADNidjaftjkch7b2H1b+e5V4o0xQml/WpqCW/VqgLgxI g/yIg9WhP1Ec8uvWG2Ojy0ZIM0JKBBfFFlIxZVYqCyrY8WittyUOFlwo O48= pir.org. 95 IN RRSIG NS 5 2 300 20110523085011 20110509085011 38939 pir.org. yUKJARGNwBWKFTi1V1nU5x38vcQrYPSn86G5MzjyMBjUWwZ3zZ4E+OMz P8svjTEdwKd6ibQGAp7aVEcqE3ruCnioqaXCZJsjT6YCaTpIjUMmRvpj tZUByl11+aqfcJuvfTNOo2PFtzRDv46vAlbZFf74fAK4AwNQa42OZlZC WVc= for known-bad domains 'dig domain.com' hesitates for a bit, then returns SERVFAIL -- no DATA. dig www.adobe.com ; <<>> DiG 9.8.0-P1 <<>> www.adobe.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26024 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.adobe.com. IN A ;; Query time: 2948 msec ;; SERVER: 10.10.10.100#53(10.10.10.100) ;; WHEN: Mon May 9 12:21:28 2011 ;; MSG SIZE rcvd: 31 my understanding was that a 'dig domain.com +dnssec' on a known-bad domain would return DATA without the SERVFAIL, but it returns the same. e.g., dig www.adobe.com +dnssec ; <<>> DiG 9.8.0-P1 <<>> www.adobe.com +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4667 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.adobe.com. IN A ;; Query time: 69 msec ;; SERVER: 10.10.10.100#53(10.10.10.100) ;; WHEN: Mon May 9 12:21:32 2011 ;; MSG SIZE rcvd: 42 Shouldn't the "+dnssec" case for known-bad be returning DATA? Also, I'm unlcear about the proper use for validation. I *want* to validate, but have the DATA nonetheless returned, with appropriate FLAGS so that, e.g., Firefox + DNSSEC-extension can (1) resolve the domain, and (2) 'report' the DNSSEC state in-browser. The way things are working now, with validation enabled and NO DATA returned, domains simply don't resolve at all -- and, of course, the browser displays a failure. Is my expected usage _not_ appropriate? THanks, DCh _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users