On Apr 18 2011, Evan Hunt wrote:
On Mon, Apr 18, 2011 at 10:51:04AM -0700, John Williams wrote:
From my signed domain when I query www.isc.org (w/ +dnssec) I get the ad
flag as expected. I don't see that flag when I query whitehouse.gov (w/
+dnssec) and I know that zone is signed.
Is anyone else seeing this behavior? Also, is there a link that
addresses troubleshooting or diagnosing DNSSEC based queries?
My guess is you're looking at www.whitehouse.gov, which is a CNAME to
www.whitehouse.gov.edgesuite.net, which isn't signed, so the ad flag
is unset. Try "dig +dnssec ns whitehouse.gov" and you should see
the ad flag. (Anyway, it's working for me at the moment.)
Or even "dig +dnssec cname www.whitehouse.gov". The CNAME is signed,
its target isn't.
--
Chris Thompson
Email: c...@cam.ac.uk
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
