Mirsad Goran Todorovac <mirsad.todoro...@alu.unizg.hr> writes: > Dear All, > > In the past three days I have just made our domain DNSSEC > signed. However, I seem to be missing something. > > When I query other DNS servers, like CloudFlare 1.0.0.1, I get the > "ad" flag. > > But in my own domain, and my own domain servers, the "ad" flag is > still missing: > > root@domac:/var/cache/bind# dig -u @161.53.235.3 domac.alu.hr a > +dnssec +multiline > > ; <<>> DiG 9.11.5-P4-5.1+deb10u7-Debian <<>> -u @161.53.235.3 > domac.alu.hr a +dnssec +multiline > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5934 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
This is normal and expected. You don't get validation on the authoritative servers. So if you see aa then there will be no ad. Just check a few other signed zones and you'll see the same there. Bjørn -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
