Re: 9.9.0rc1: example from arm 4.8.3 does not validate
Am 18.01.2012 um 23:54 schrieb Evan Hunt: I tried the example from page 23 with a local zone, a trusted key and inline-signing, like: [...] But I'm getting no ad-flag: That's normal; authoritative servers don't set the AD bit, validating resolvers do. (There's not much point in having an authoritative server validate its own answers.) Can dig tell me, if the sigs are valid, if I provide my trusted key? Or do I need a 2nd (validating) ns? Axel --- PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.9.0rc1: example from arm 4.8.3 does not validate
On Thu, 19 Jan 2012, Axel Rau wrote: Am 18.01.2012 um 23:54 schrieb Evan Hunt: I tried the example from page 23 with a local zone, a trusted key and inline-signing, like: [...] But I'm getting no ad-flag: That's normal; authoritative servers don't set the AD bit, validating resolvers do. (There's not much point in having an authoritative server validate its own answers.) Can dig tell me, if the sigs are valid, if I provide my trusted key? Or do I need a 2nd (validating) ns? Axel One needs to ask a non-authoritative validating server. For checking our publicly available DNSSEC signed site, I use the available recursing validating oarc server. dig +dnssec @bind.odvr.dns-oarc.net maplepark.com and get the flags returned in a crontab script that checks it daily for the ad flag. Dave -- David Forrest e-mail drf @ maplepark.com Maple Park Development Corporation http://xen.maplepark.com St. Louis, Missouri ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.9.0rc1: example from arm 4.8.3 does not validate
I tried the example from page 23 with a local zone, a trusted key and inline-signing, like: [...] But I'm getting no ad-flag: That's normal; authoritative servers don't set the AD bit, validating resolvers do. (There's not much point in having an authoritative server validate its own answers.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: 9.9.0rc1: example from arm 4.8.3 does not validate
I tried the example from page 23 with a local zone, a trusted key and inline-signing, ... But I'm getting no ad-flag I think that is expected behavior when you query an authoritative server directly. For example, our authoritative server: dig @ns1.countryday.net countryday.net dnskey +dnssec also returns no ad flag, but if you run the same query from a DNSSEC-enabled recursive resolver, you will get an ad flag. Regards, Jeff Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users