Re: DNSSEC, whitehouse, isc, and troubleshooting...

Mon, 18 Apr 2011 11:38:58 -0700 

On Mon, 18 Apr 2011, John Williams wrote:


Subject: DNSSEC, whitehouse, isc, and troubleshooting...


From my signed domain when I query www.isc.org (w/ +dnssec) I get the ad flag 
as expected.  I don't see that flag when I query whitehouse.gov  (w/ +dnssec) 
and I know that zone is signed.


Is anyone else seeing this behavior?  Also, is there a link that addresses 
troubleshooting or diagnosing DNSSEC based queries?


works for me:

[paul@bofh ~]$ dig +dnssec whitehouse.gov

; <<>> DiG 9.7.3-RedHat-9.7.3-1.fc14 <<>> +dnssec whitehouse.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14133
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;whitehouse.gov.                        IN      A

;; ANSWER SECTION:
whitehouse.gov.         20      IN      A       59.151.148.110
whitehouse.gov.         20      IN      RRSIG   A 7 2 20 20110420224012 
20110417214012 43676 whitehouse.gov. 
M3z/ZHkI07JM+CC25GFf3NZnO9nVddZ+qnGtqnx2pVUtV0AFRa+VX+TX 
G8qgWL49xNEQzce4vrf0CocEGoqgDf/x0R+qntMy2GmK7go06KrvNoLG 
pJW0grr9ZLx0k6uN8xRcSDlI/H9/SJyfCWPJq1pHJpDCsHTeiSXtEb0J gnU=

Note that www.whitehouse.gov is a CNAME into akamai that's unsigned, so you
don't get the AD bit when querying that, unless you specifically ask for
the CNAME:

; <<>> DiG 9.7.3-RedHat-9.7.3-1.fc14 <<>> +dnssec -t cname www.whitehouse.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29148
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.whitehouse.gov.            IN      CNAME

;; ANSWER SECTION:
www.whitehouse.gov.     3527    IN      CNAME   
www.whitehouse.gov.edgesuite.net.
www.whitehouse.gov.     3527    IN      RRSIG   CNAME 7 3 3600 20110420224012 
20110417214012 43676 whitehouse.gov. 
n+pU7FVUMC3VvJ3yUQs7HrKCj6fQs4xTL9H35YvaSnKxc42GnoqfrbwM 
X1dRndkE9qBlD9PnEiu2mJDUgsz/8GDbZQ61/Bphdl/M+2533QwiAB9w 
dEj0AFRUTmkJFNZrUqM12YS84yvbArIv38OPvCxSGYSO21F4naxcla50 n5U=

Paul
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to