project722 <project...@gmail.com> wrote: > > 1) I am still seeing the "no valid signature found" messages in my > bind.log.
> ;; validating ncentral.teklinks.com/A: no valid signature found In this case that's because ncentral.teklinks.com is signed but there's no DS in the parent zone, so it's insecure. If you run delv +vtrace you'll see a lot of verbiage between these lines which is the major clue. ;; validating teklinks.com/DS: attempting negative response validation ;; validating teklinks.com/DS: nonexistence proof(s) found Or you can look at dnsviz.net :-) > 2) There is one other scenario that confuses me. When I test against a URL > that's purposely setup to fail dnssec, I get a servfail. dnssec-failed.org has DS records, so it should be secure, but the DS records in the parent don't match the DNSKEY records in the child zone. You can see this by comparing: $ dig +noall +answer dnssec-failed.org ds $ dig +cd dnssec-failed.org dnskey | dnssec-dsfromkey -f /dev/stdin dnssec-failed.org Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ protect and enlarge the conditions of liberty and social justice _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
