No problem. We haven't enabled DNSSEC here yet. Man for dig says: "+[no]cdflag Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses."
Below are the digs with the +cdflag and +nocdflag: dig +cdflag www.ncbi.nlm.nih.gov ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> +cdflag www.ncbi.nlm.nih.gov ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13903 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.ncbi.nlm.nih.gov. IN A ;; ANSWER SECTION: www.ncbi.nlm.nih.gov. 600 IN CNAME www.wip.ncbi.nlm.nih.gov. www.wip.ncbi.nlm.nih.gov. 30 IN A 130.14.29.110 ;; AUTHORITY SECTION: wip.ncbi.nlm.nih.gov. 2059 IN NS gslb01.nlm.nih.gov. wip.ncbi.nlm.nih.gov. 2059 IN NS gslb02.nlm.nih.gov. wip.ncbi.nlm.nih.gov. 2059 IN NS gslb03.nlm.nih.gov. ;; Query time: 48 msec ;; SERVER: 10.0.4.99#53(10.0.4.99) ;; WHEN: Wed Aug 18 08:40:25 2010 ;; MSG SIZE rcvd: 139 dig +nocdflag www.ncbi.nlm.nih.gov ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> +nocdflag www.ncbi.nlm.nih.gov ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30098 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.ncbi.nlm.nih.gov. IN A ;; ANSWER SECTION: www.ncbi.nlm.nih.gov. 597 IN CNAME www.wip.ncbi.nlm.nih.gov. www.wip.ncbi.nlm.nih.gov. 27 IN A 130.14.29.110 ;; Query time: 5 msec ;; SERVER: 10.0.4.99#53(10.0.4.99) ;; WHEN: Wed Aug 18 08:40:29 2010 ;; MSG SIZE rcvd: 76 -----Original Message----- From: Phil Mayers [mailto:p.may...@imperial.ac.uk] Sent: Wednesday, August 18, 2010 8:31 AM To: Lightner, Jeff Cc: bind-users@lists.isc.org Subject: Re: www.ncbi.nlm.nih.gov / pubmed On 18/08/10 13:30, Phil Mayers wrote: > On 18/08/10 13:15, Lightner, Jeff wrote: >> It comes right up in Firefox but prompts for a username and password. > > Do you have DNSSEC validation enabled? Because as per my email, it's a > DNSSEC problem. Damn - in fact sorry, scratch that. I realise my original email said nothing of the sort! I blame the stress of moving house ;o) > > After a bit of investigation, it seems that the problem is a missing > NSEC/NSEC3 record in the empty reply for: > > $ dig +dnssec @165.112.4.230 ncbi.nlm.nih.gov ds > > ...since the "ncbi" zone is an unsigned child zone, there needs to be an > NSEC/NSEC3 record to prove the absence of the DS record, and have a > secure delegation to an unsigned child zone. Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. ---------------------------------- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. ---------------------------------- _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
