It is working. ------------------------------------------ $ dig test.nknsec.in +dnssec
; <<>> DiG 9.8.1 <<>> test.nknsec.in +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4578 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;test.nknsec.in. IN A ;; ANSWER SECTION: test.nknsec.in. 352 IN A 10.1.27.25 test.nknsec.in. 352 IN RRSIG A 5 3 360 20120204072952 20120105072952 16755 test.nknsec.in. DcLPb3hVDqal64UQe3Vk4NjbMRwSSWHNy4r/Bk42M2WQLZYBt9p7NpIT 6g1AVdP2vyFs2q4CbA/QLUMeVWptvHBNZcA8/M4DpW5GpsOmC3SeZe01 lCUzbANN/+NNg/PwHsPhLUOEatmjZxfrU3lGpxXFF527ohzxXatZdX48 lsM= ;; AUTHORITY SECTION: test.nknsec.in. 349 IN NS ns1.nknsec.in. test.nknsec.in. 349 IN RRSIG NS 5 3 360 20120204072952 20120105072952 16755 test.nknsec.in. ZOVyGZh6gPB7zT9ZniOy/+NQ +fwP00b4KagDQ1F9kCwiNjGrSxjmGQQg VD7R8LM6R4di1BBg8ayWtLQi7dVQdhmB942zy4BH/IYSMkWOf+WtILlx YAD64F1NoJ4GXKRH7t01fYQRMoOtr2Teuok0KdUctAQNYBOjw280RwkY h9Y= ;; Query time: 3 msec ;; SERVER: 160.124.48.16#53(160.124.48.16) ;; WHEN: Wed Jan 11 08:46:34 2012 ;; MSG SIZE rcvd: 425 ----------------------------------------- You need a recursive resolver set up to do DNSSEC, including 'lookaside' for the DLV checking. You CAN NOT just use one of the nameservers that the domain uses. You need to ask that resolver. The resolver handling the zone (ns1.nknsec.in) will not set the 'ad' bit (assumption being there is no special configurations like views or multiple resolvers - etc) when directly asked. I wrote a guide on how to do this - http://dnssec.co.za/ - some time ago. It should be still valid. On the Linux Gentoo distribution, BIND is almost installed like this by default - except for the 'dlv' portion. I expect other distributions are similar? I'll ignore issues like there is only one NS record for this and the parent (nknsec.in) - ".IN" allows this ???? You should also be able to make the zone at the 'nknsec.in' level secure from that point onwards as well. On Wed, 2012-01-11 at 10:45 +0530, Gaurav kansal wrote: > Dear All, > > > > I had purchased a new domain especially for DNSSEC testing. > > But when I ask my registry to insert my DS keys in .in zone file, I > got the answer that .in is still not ready for this although .in is > signed. > > > > I tried to authenticate my domain through ISC dlv. > > I upload my DS key there and it is showing a “GOOD” status for my > domain but still I am not getting “ad” parameter in my dig answer. > > > > Anyone please explain what I have to do next so that I can give > authenticated answer for test.nknsec.in domain. > > > Zone List > (add a zone) > > > > Zone Name > > > Status > > > DNSKEYs > > > Zone Actions > > > test.nknsec.in > > > Good > > > 1 (add) > > > (details) (delete) > > > > Copyright © 2010 by Internet Systems Consortium. > > > > > > > > > > > > > > Please don't print this e-mail until & unless you really need, it will > save Trees on Planet Earth. > > > > IPv4 is Over, > > Are your ready for new Network. > > > Thanks n Regards, > GAURAV KANSAL > 9910118448 > VoIP - 6259 > Operation And Routing Unit > NIC , NEW DELHI > > > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- . . ___. .__ Posix Systems - (South) Africa /| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
