On Mon, Apr 18, 2011 at 10:51:04AM -0700, John Williams wrote: > From my signed domain when I query www.isc.org (w/ +dnssec) I get the ad > flag as expected. I don't see that flag when I query whitehouse.gov (w/ > +dnssec) and I know that zone is signed. > > Is anyone else seeing this behavior? Also, is there a link that > addresses troubleshooting or diagnosing DNSSEC based queries?
My guess is you're looking at www.whitehouse.gov, which is a CNAME to www.whitehouse.gov.edgesuite.net, which isn't signed, so the ad flag is unset. Try "dig +dnssec ns whitehouse.gov" and you should see the ad flag. (Anyway, it's working for me at the moment.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
