With "dnssec-validation AUTO;" I get: # delv +cd www.popularsba.com ;; resolution failed: timed out
With "dnssec-validation NO;" I get: # delv +cd www.popularsba.com ;; resolution failed: timed out ; unsigned answer www.popularsba.com. 279 IN CNAME www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com. CAPS just to show the difference in .conf -- Ismael Suárez Maldonado | UNIX ADM | Coqui.Net Corp / ClaroTV ismael_sua...@coqui.com<mailto:ismael_sua...@coqui.com> | T: 787-793-0001 x 4007 -----Original Message----- From: Petr Menšík <pemen...@redhat.com<mailto:petr%20%3d%3futf-8%3fq%3fmen%3dc5%3da1%3dc3%3dadk%3f%3d%20%3cpemen...@redhat.com%3e>> To: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> Subject: Re: Dnssec-validation auto Date: Fri, 13 Nov 2020 11:26:17 +0100 Hi Ismael, easiest way to check validation is using delv tool from BIND 9.11+. It uses the same algorithm as BIND server does. If you get SERVFAIL from your recursive server, try adding +cd parameter to delv or dig. When it works with +cd, validation is responsible somewhere in recursive servers chain. It shows just unsigned to me, today. $ delv +cd <http://www.popularsba.com> www.popularsba.com ; unsigned answer <http://www.popularsba.com> www.popularsba.com . 282 IN CNAME <http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com> www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com . <http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com> www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com . 282 IN CNAME 4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com. 4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com. 102 IN A 161.71.31.253 Cheers, Petr On 11/13/20 5:26 AM, Ismael Suarez wrote: Hi all The following domain ( <http://www.popularsba.com> www.popularsba.com ) does not resolve with dnssec validation set to auto, but when I change the validation off it works. Why is this? How can I check this validation? Using bind 9.12 Thanks to all _______________________________________________ Please visit <https://lists.isc.org/mailman/listinfo/bind-users> https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at <https://www.isc.org/contact/> https://www.isc.org/contact/ for more information. bind-users mailing list <mailto:bind-users@lists.isc.org> bind-users@lists.isc.org <https://lists.isc.org/mailman/listinfo/bind-users> https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit <https://lists.isc.org/mailman/listinfo/bind-users> https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at <https://www.isc.org/contact/> https://www.isc.org/contact/ for more information. bind-users mailing list <mailto:bind-users@lists.isc.org> bind-users@lists.isc.org <https://lists.isc.org/mailman/listinfo/bind-users> https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
