On Mon, Apr 18, 2011 at 11:07 AM, Evan Hunt <e...@isc.org> wrote: > On Mon, Apr 18, 2011 at 10:51:04AM -0700, John Williams wrote: > > From my signed domain when I query www.isc.org (w/ +dnssec) I get the ad > > flag as expected. I don't see that flag when I query whitehouse.gov (w/ > > +dnssec) and I know that zone is signed. > > > > Is anyone else seeing this behavior? Also, is there a link that > > addresses troubleshooting or diagnosing DNSSEC based queries? > > My guess is you're looking at www.whitehouse.gov, which is a CNAME to > www.whitehouse.gov.edgesuite.net, which isn't signed, so the ad flag > is unset. Try "dig +dnssec ns whitehouse.gov" and you should see > the ad flag. (Anyway, it's working for me at the moment.) > > As far as DNSSEC troubleshooting tools, this alias relationship is illustrated using DNSViz, an online analysis tool: http://dnsviz.net/d/www.whitehouse.gov/dnssec/ . Note that the www.whitehouse.gov RRset is "secure", but the name it aliases is "insecure" (no chain of trust). Thus, the resolver (as Evan mentioned) does not set the AD flag when queried for www.whitehouse.gov.
Casey
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
