> > In any event, as Mark has suggested, you don't want to dig the RRSIG > > yourself. Rather, use: > > > > dig +dnssec zygo.com a > > > > ...and if you get a SERVFAIL: > > > > dig +dnssec +cd zygo.com a > dig +dnssec +cd zygo.com a resolved the domain.
"RESOLVED THE DOMAIN" is not !@#$#!$!@#!$@#$%@#! enough for anyone to help you. WE NEED TO SEE WHAT YOU ARE SEEING. Mark > I have started to get other reports of domains with the same problem. > The same nameservers are having validation issues with these, and all > the domains use pdns01.domaincontrol.com and pdns02.domaincontrol.com. > as auth name servers. I guess this points to a problem somewhere in the > trust chain, butI can't figure out where. > > # dig a zygo.com +sigchase +trusted-key=root.keys +multiline +qr > > ; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> a zygo.com +sigchase > +trusted-key=root.keys +multiline +qr > ;; global options: +cmd > ;; Sending: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21316 > ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;zygo.com. IN A > > ;; NO ANSWERS: no more > We want to prove the non-existence of a type of rdata 1 or of the zone: > ;; nothing in authority section : impossible to validate the > non-existence : FAILED > > ;; Impossible to verify the Non-existence, the NSEC RRset can't be > validated: FAILED > > > If I add +topdown then it succeeds. > > -- > Grant Keller > Sonic.net System Operations > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
