-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Erik Lotspeich wrote:
> I have registered with the ISC's DLV registry. I am > having trouble finding the best way for me to validate that my setup is > working and that my zone validates. dlv.isc.org doesn't list your keys yet. It can take a day or two for DLV records to appear after your DNSKEY and cookie records have been checked. If you just added the zone to dlv.isc.org and it still shows a "pending validation" state, try "request re-check" in the DNSKEY Details section to force immediate validation. Once your DLV record shows up, you may query external validating resolvers and see if they set the AD flag in response. OARC operates resolvers validating against dlv.isc.org. See their website at: https://www.dns-oarc.net/oarc/services/odvr dig +adflag lotspeich.org @149.20.64.20 dig +adflag lotspeich.org @149.20.64.21 A successful validation should look like this: [...] ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6841 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 [...] ^^ Future reference: Once .org completes their testing phase *and* your registrar allows you to register DS records for your domain, queries should also return AD when validated against the ITAR trust anchor repository (at https://itar.iana.org/): dig +adflag lotspeich.org @149.20.64.22 I also run a somewhat-public resolver using the dnssec.iks-jena.de DLV (http://www.iks-jena.de/leistungen/dnssec.php): dig +adflag lotspeich.org @85.10.240.255 Hauke. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkoxvWsACgkQKIgAG9lfHFPMNgCffasC89jnBB6T2erBR1IN0YLG O04An27s6qOg9WeW7l8ck6o6E/vmr31F =gE/Q -----END PGP SIGNATURE----- _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
