John Williams wrote: > Is anyone else seeing this behavior? Also, is there a link that addresses > troubleshooting or diagnosing DNSSEC based queries?
One minor issue: If I query a.gov-servers.net for the nameservers of whitehouse.org, it returns a list of 6. If I query any of these, they give me a list of 8 (the additional two being usw5.akam.net and usw6.akam.net). But, to the original question: I get the AD flag when I query through my validating resolver: [eivind@vimes ~]$ /usr/local/bin/dig +dnssec any whitehouse.gov @127.0.0.1 ; <<>> DiG 9.8.0 <<>> +dnssec any whitehouse.gov @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18201 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 26, AUTHORITY: 0, ADDITIONAL: 1 ...etc... If on the other hand I ask for www.whitehouse.gov, I get a CNAME outside of the zone, pointing to www.whitehouse.gov.edgesuite.net which is yet another CNAME pointing to a1128.h.akamai.net. Neither of these seem to be DNSSEC signed. Regards Eivind Olsen eiv...@aminor.no _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
