Re: ad flag for RRSIG queries

2010-07-14 Thread Marco Davids (SIDN)
On 07/14/10 00:43, Doug Barton wrote: Can anyone explain to me why the 'ad'-flag is set for this query? dig +dnssec -t RRSIG www.forfunsec.org I use BIND 9.7.0rc1, configured to work with the IANA testbed. I'd be interested to see what happens if you upgrade to the latest versions in each

Re: ad flag for RRSIG queries

2010-07-14 Thread Chris Thompson
On Jul 13 2010, Doug Barton wrote: On Tue, 13 Jul 2010, Marco Davids (SIDN) wrote: Hi, Can anyone explain to me why the 'ad'-flag is set for this query? dig +dnssec -t RRSIG www.forfunsec.org I'm using 9.7.1-P1 with dlv and I'm not seeing the AD flag on that. What version of BIND are you

Re: ad flag for RRSIG queries

2010-07-14 Thread Tony Finch
On Wed, 14 Jul 2010, Chris Thompson wrote: With 9.7.1-P1 (and a trust anchor for dlv.isc.org) on a local workstation dig +dnssec -t RRSIG www.forfunsec.org @127.0.0.1 initially times out. But after doing dig +dnssec -t ANY www.forfunsec.org @127.0.0.1 the same command reports the three

Re: ad flag for RRSIG queries

2010-07-14 Thread Kalman Feher
Using the ORG trust anchor from the ITAR yields the following result on 9.7.1 (no P1 patch). No initial time out. # dig +dnssec -t RRSIG www.forfunsec.org ; DiG 9.7.1 +dnssec -t RRSIG www.forfunsec.org ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ; EDNS: version: 0,

Re: ad flag for RRSIG queries

2010-07-14 Thread Casey Deccio
I think the issue here is that the authenticity of an RRSIG RR doesn't really make sense without the RRset it covers, and RRSIG themselves are not signed (RFC 4035 section 2.2). The RRSIGs returned by the cache are there initially because they exist (as well as the RRsets they cover), but not

ad flag for RRSIG queries

2010-07-13 Thread Marco Davids (SIDN)
Hi, Can anyone explain to me why the 'ad'-flag is set for this query? dig +dnssec -t RRSIG www.forfunsec.org How does a validating resolver determine that such an answer is secure? Thank you. -- Marco Davids ___ bind-users mailing list

Re: ad flag for RRSIG queries

2010-07-13 Thread Doug Barton
On Tue, 13 Jul 2010, Marco Davids (SIDN) wrote: Hi, Can anyone explain to me why the 'ad'-flag is set for this query? dig +dnssec -t RRSIG www.forfunsec.org I'm using 9.7.1-P1 with dlv and I'm not seeing the AD flag on that. What version of BIND are you using? Doug -- Improve

Re: ad flag for RRSIG queries

2010-07-13 Thread Doug Barton
On Wed, 14 Jul 2010, Marco Davids (SIDN) wrote: On 07/13/10 23:58, Doug Barton wrote: Can anyone explain to me why the 'ad'-flag is set for this query? dig +dnssec -t RRSIG www.forfunsec.org I'm using 9.7.1-P1 with dlv and I'm not seeing the AD flag on that. What version of BIND are you