Hi On Sat 08/Feb/2020 12:05:23 +0100 Ondřej Surý wrote: > If `dig +dnssec +cd emeraldonion.org mx` will give you answers and `dig > +dnssec emeraldonion.org mx` does not, then it’s most probably validation > failure.
Aha, +cd is what I wanted to learn. Thanks a lot! > > Then of course based on your logging setup, the validation failures might be > visible in BIND 9 log. Indeed: /var/log/named.log:08-Feb-2020 10:46:34.703 lame-servers: info: no valid RRSIG resolving '_mta-sts.emeraldonion.org/DS/IN': 45.76.136.88#53 /var/log/named.log:08-Feb-2020 10:46:34.971 lame-servers: info: no valid DS resolving '_mta-sts.emeraldonion.org/TXT/IN': 45.76.37.222#53 /var/log/named.log:08-Feb-2020 10:46:34.990 lame-servers: info: broken trust chain resolving '_mta-sts.emeraldonion.org/TXT/IN': 45.76.136.88#53 /var/log/named.log:08-Feb-2020 10:46:35.010 lame-servers: info: insecurity proof failed resolving 'emeraldonion.org/MX/IN': 45.32.180.186#53 [...] Best Ale -- _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
