On Mon, Nov 09, 2009 at 04:47:02PM +0100, Klaus Malorny wrote: > I would have expected to get a "SUCCESS" also, i.e. that the negative > answer could have been validated so far. Did I miss anything? For zones > using NSEC, like "se", this seems to work. Is there no full support for > NSEC3 in dig yet?
Unfortunately, no. ISC didn't write the "dig +sigchase" code; it was contributed to us by the IDsA project, and we haven't done much to maintain it. It's somewhat buggy and fragile code, which is why it's #ifdef'd out. We've planned for years to overhaul or rewrite it, add NSEC3 and DLV support, and take out the #ifdef's, but so far that's always fallen to time and resource limits. Until we do have a proper DNSSEC-aware dig, you might try "drill" from the Unbound project. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
