On 18.08.2010 14:31, Phil Mayers wrote: > After a bit of investigation, it seems that the problem is a missing > NSEC/NSEC3 record in the empty reply for: > > $ dig +dnssec @165.112.4.230 ncbi.nlm.nih.gov ds > > ...since the "ncbi" zone is an unsigned child zone, there needs to be an > NSEC/NSEC3 record to prove the absence of the DS record, and have a > secure delegation to an unsigned child zone.
I think the problem is already in the nlm.nih.gov zone. nih.gov contains DS records for nlm.nih.gov, but the zone itself is not signed. dig +dnssec nlm.nih.gov ds @ns.nih.gov. -> signed DS records dig +dnssec nlm.nih.gov soa @ns.nih.gov. -> unsigned response Validating resolvers thus reject the unsigned answer: "nlm.nih.gov SOA: got insecure response; parent indicates it should be secure" According to the SOA, nlmdnshostmas...@mail.nih.gov is the appropriate contact address. I'll put them in Cc. Hauke.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
