Le 1 juin 2023 Bonno Bloksma a écrit :
>> If you get an answer it's a dnssec problem with the error message in your
>> logs. If there is no answer it's another problem.
> Well, it seems I get an answer with the +cd option, and none without.
Yes. If I do :
# dig tio.nl A +dnssec +multiline
; <<>> DiG 9.18.12-1~bpo11+1-Debian <<>> tio.nl A +dnssec +multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15946
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: b5616e99dab9dfa2010000006479183bc71c1f369d50dcb2 (good)
;; QUESTION SECTION:
;tio.nl. IN A
;; ANSWER SECTION:
tio.nl. 3600 IN A 188.166.202.179
tio.nl. 3600 IN RRSIG A 8 2 3600 (
20230615000000 20230525000000 11454 tio.nl.
M3ZcaxHNXwnmZ5SQnvMcPsUDPLQLpyl0RO7azsSWoUTx
6CgENJbWQuMqHyiQlzxeSnzVbfFIlKdbsBACFylJUhsT
Mby5rp8ouOr8XOK2wC+qJvgYbl5SJwXePu0f1XgCxoAg
P5/6ZnnXpo4gidVtxfUB68Ed5T6yxo23o0eI5gE= )
I get external dns answer with a nice dnssec. Can you do :
dig @172.16.208.10 tio.nl A +dnssec +multiline
to see if your internal dns answer the same rrsig
