There is no DS record for ise.gov so there is no chain of trust and
the answer is treated as insecure. Note "ad" is *not* set in flags
of your query.
; <<>> DiG 9.11.0pre-alpha <<>> ds ise.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45170
;; fla
On 21 May 2014, at 13:01, Stephane Bortzmeyer wrote:
> Probably because there is no DS record for ise.gov, which prevents the
> validator to try.
Thanks, and indeed no DS in .gov, knew I was missing something basic.
___
Please visit https://lists.isc
On Wed, May 21, 2014 at 12:56:32PM +0100,
Simon Waters wrote
a message of 58 lines which said:
> BIND 9 logs report: RRSIG has expired for "www.ise.gov"
Indeed.
www.ise.gov.43200 IN RRSIG CNAME 5 3 43200 (
20140513120652 20140413120652
Dear Bind Users,
BIND 9 logs report: RRSIG has expired for "www.ise.gov"
And "no valid signature found" for "ise.gov A".
Yet I can still resolve and visit the website http://ise.gov/
DNS recursive server has:
dnssec-validation yes;
dnssec-enable yes;
dnssec-accept-expired
4 matches
Mail list logo
