On Wed, Jul 17, 2013 at 10:58 AM, Bill Owens <ow...@nysernet.org> wrote: > This is one of the weirder ones I've seen. . . there are TXT and MX records > for ic.fbi.gov, both correctly signed: > > ... > However, that NSEC3 record is not signed.
FWIW, DNSViz checks the chain of trust for authenticated denial-of-existence, but it doesn't display it by default. If you select "denial of existence" from the "DNSSEC options" then you see some errors on the left (maybe we could have it shown by default if there are errors). http://dnsviz.net/d/ic.fbi.gov/Ueea1Q/dnssec/?rr=all&a=all&ds=all&doe=on&ta=.&tk= However, it seems the graph is missing corresponding red, dashed arrows that are usually used to show when *some* servers are missing RRSIGs--that will need to be looked into. Because two of the servers are returning RRSIGs for NSEC3, it does show arrows on the authentication chain. The rest, however, are certainly lacking RRSIGs: http://dnsviz.net/d/fbi.gov/UeeFmQ/servers/ Cheers, Casey _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
