Hi Hauke, I now get the AD flag when querying external validating resolvers such as the ones you mention.
I believe that my BIND is configured properly to be a validating resolver as well: # dig +adflag @ns.lotspeich.org. isc.org. ; <<>> DiG 9.6.1 <<>> +adflag @ns.lotspeich.org. isc.org. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62029 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4 [snip] Is it normal that a validating resolver can't validate a domain it is authoritative for? # dig +adflag @ns.lotspeich.org. lotspeich.org. ; <<>> DiG 9.6.1 <<>> +adflag @ns.lotspeich.org. lotspeich.org. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1087 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 [snip] I don't get the AD flag here. Thanks again, Erik. Hauke Lampe wrote: > Erik Lotspeich wrote: > >> I have registered with the ISC's DLV registry. I am >> having trouble finding the best way for me to validate that my setup is >> working and that my zone validates. > > dlv.isc.org doesn't list your keys yet. It can take a day or two for DLV > records to appear after your DNSKEY and cookie records have been > checked. If you just added the zone to dlv.isc.org and it still shows a > "pending validation" state, try "request re-check" in the DNSKEY Details > section to force immediate validation. > > Once your DLV record shows up, you may query external validating > resolvers and see if they set the AD flag in response. OARC operates > resolvers validating against dlv.isc.org. See their website at: > https://www.dns-oarc.net/oarc/services/odvr > > dig +adflag lotspeich.org @149.20.64.20 > dig +adflag lotspeich.org @149.20.64.21 > > A successful validation should look like this: > [...] > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6841 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > [...] ^^ > > Future reference: Once .org completes their testing phase *and* your > registrar allows you to register DS records for your domain, queries > should also return AD when validated against the ITAR trust anchor > repository (at https://itar.iana.org/): > > dig +adflag lotspeich.org @149.20.64.22 > > I also run a somewhat-public resolver using the dnssec.iks-jena.de DLV > (http://www.iks-jena.de/leistungen/dnssec.php): > > dig +adflag lotspeich.org @85.10.240.255 > > > > Hauke. > > _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
