Hi,
I am playing around with a signed zone which uses NSEC3. If I try to verify a
non-existing name or a non-existing type with the "sigchase" option, I get the
strange error:
;; Impossible to verify the Non-existence, the NSEC RRset can't be validated:
FAILED
I then checked it with the "org" TLD (which I assume to be properly signed), and
get the same result if I issue a "dig +sigchase +trusted-key=/tmp/trustedkeys
org txt" command. I checked that in both cases, the correct NSEC3 record was
returned by named.
I would have expected to get a "SUCCESS" also, i.e. that the negative answer
could have been validated so far. Did I miss anything? For zones using NSEC,
like "se", this seems to work. Is there no full support for NSEC3 in dig yet?
BTW: I am using 9.7.0b2 with openssl support and -DDIG_SIGCHASE flag.
Regards,
Klaus
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
