Thanks Tony! This was very helpful. On Thu, Aug 23, 2018 at 8:01 AM Tony Finch <d...@dotat.at> wrote:
> project722 <project...@gmail.com> wrote: > > > > 1) I am still seeing the "no valid signature found" messages in my > > bind.log. > > > ;; validating ncentral.teklinks.com/A: no valid signature found > > In this case that's because ncentral.teklinks.com is signed but there's no > DS in the parent zone, so it's insecure. If you run delv +vtrace you'll > see a lot of verbiage between these lines which is the major clue. > > ;; validating teklinks.com/DS: attempting negative response validation > > ;; validating teklinks.com/DS: nonexistence proof(s) found > > Or you can look at dnsviz.net :-) > > > 2) There is one other scenario that confuses me. When I test against a > URL > > that's purposely setup to fail dnssec, I get a servfail. > > dnssec-failed.org has DS records, so it should be secure, but the DS > records in the parent don't match the DNSKEY records in the child zone. > You can see this by comparing: > > $ dig +noall +answer dnssec-failed.org ds > > $ dig +cd dnssec-failed.org dnskey | > dnssec-dsfromkey -f /dev/stdin dnssec-failed.org > > Tony. > -- > f.anthony.n.finch <d...@dotat.at> http://dotat.at/ > protect and enlarge the conditions of liberty and social justice >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
