On 08/07/2013 06:17 PM, Mark Andrews wrote: >>> In any event, as Mark has suggested, you don't want to dig the RRSIG >>> yourself. Rather, use: >>> >>> dig +dnssec zygo.com a >>> >>> ...and if you get a SERVFAIL: >>> >>> dig +dnssec +cd zygo.com a >> dig +dnssec +cd zygo.com a resolved the domain. > "RESOLVED THE DOMAIN" is not !@#$#!$!@#!$@#$%@#! enough for anyone > to help you. WE NEED TO SEE WHAT YOU ARE SEEING. > > Mark # dig +dnssec +cd zygo.com a
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> +dnssec +cd zygo.com a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45711 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;zygo.com. IN A ;; ANSWER SECTION: zygo.com. 86400 IN A 50.28.48.60 ;; AUTHORITY SECTION: zygo.com. 93100 IN NS pdns02.domaincontrol.com. zygo.com. 93100 IN NS pdns01.domaincontrol.com. ;; ADDITIONAL SECTION: pdns01.domaincontrol.com. 33591 IN A 216.69.185.50 pdns01.domaincontrol.com. 57182 IN AAAA 2607:f208:207::32 pdns02.domaincontrol.com. 80032 IN A 208.109.255.50 pdns02.domaincontrol.com. 28807 IN AAAA 2607:f208:303::32 ;; Query time: 23 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Aug 8 08:57:51 2013 ;; MSG SIZE rcvd: 197 > >> I have started to get other reports of domains with the same problem. >> The same nameservers are having validation issues with these, and all >> the domains use pdns01.domaincontrol.com and pdns02.domaincontrol.com. >> as auth name servers. I guess this points to a problem somewhere in the >> trust chain, butI can't figure out where. >> >> # dig a zygo.com +sigchase +trusted-key=root.keys +multiline +qr >> >> ; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> a zygo.com +sigchase >> +trusted-key=root.keys +multiline +qr >> ;; global options: +cmd >> ;; Sending: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21316 >> ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags: do; udp: 4096 >> ;; QUESTION SECTION: >> ;zygo.com. IN A >> >> ;; NO ANSWERS: no more >> We want to prove the non-existence of a type of rdata 1 or of the zone: >> ;; nothing in authority section : impossible to validate the >> non-existence : FAILED >> >> ;; Impossible to verify the Non-existence, the NSEC RRset can't be >> validated: FAILED >> >> >> If I add +topdown then it succeeds. >> >> -- >> Grant Keller >> Sonic.net System Operations >> >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >> from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users -- Grant Keller Sonic.net System Operations _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
