Re: How to get AD flag

On Aug 2, 2013, at 9:19 PM, Alan Clegg wrote: > > On Aug 2, 2013, at 11:35 AM, David Newman wrote: > >> That looks OK, but the forwarder might still be broken (i.e., it might >> strip replies). > > If this were the case and the resolver is correctly configured with a root > anchor then all

Re: How to get AD flag

On Aug 2, 2013, at 11:35 AM, David Newman wrote: > That looks OK, but the forwarder might still be broken (i.e., it might > strip replies). If this were the case and the resolver is correctly configured with a root anchor then all attempted validation (from the root down) would result in SERV

Re: Validation succeeds when keys with multiple algorithms present, but not RRSIGs for both

In message , Casey Deccio writes: > On Fri, Aug 2, 2013 at 5:25 AM, Mark Andrews wrote: > > > > In message <51fb9c18.23133.401e...@tmorizot.sd.is.irs.gov>, "Scott Morizot" > wri > > tes: > >> The BIND 9 resolver returns an answer with the AD bit set. Unbound > >> returns SERVFAIL. Secure64 Cach

Re: Validation succeeds when keys with multiple algorithms present, but not RRSIGs for both

On Fri, Aug 2, 2013 at 5:25 AM, Mark Andrews wrote: > > In message <51fb9c18.23133.401e...@tmorizot.sd.is.irs.gov>, "Scott Morizot" > wri > tes: >> The BIND 9 resolver returns an answer with the AD bit set. Unbound >> returns SERVFAIL. Secure64 Caches also return SERVFAIL. Those are the >> only t

Re: How to get AD flag

On 8/1/13 10:48 PM, rams wrote: > Thanks david, > This the response i get > dig +short rs.dns-oarc.net txt @ > rst.x3827.rs.dns-oarc.net . > rst.x3837.x3827.rs.dns-oarc.net . > rst.x3843.x3837.x3827.r

Re: Internernal view is answering to external ping

Many use ping to check DNS issues but doing so brings in another factor: the client's os/resolver/caching. The 'dig' utility aims to work around this. If 'dig' (to the DNS server's numeric address) and 'ping' DNS resolutions differ, you have good evidence it is a client issue. On the other hand i

Re: How to get AD flag

On Fri, Aug 02, 2013 at 10:49:22AM +0530, rams wrote a message of 41 lines which said: > I have 9.7 bind installed and configured recursive. When i query > against forwader i am not getting AD flag. Could you please guide me > how to get AD flag. Several possible reasons: 1) Unsigned domain

Re: Validation succeeds when keys with multiple algorithms present, but not RRSIGs for both

In message <51fbad70.9183.445a...@tmorizot.sd.is.irs.gov>, "Scott Morizot" writes: > On 2 Aug 2013 at 22:25, Mark Andrews wrote: > > In message <51fb9c18.23133.401e...@tmorizot.sd.is.irs.gov>, "Scott Morizot" > > wri > > tes: > > > Hello all, > > > > > > I ran into an interesting situation reso

Re: Validation succeeds when keys with multiple algorithms present, but not RRSIGs for both

On 2 Aug 2013 at 22:25, Mark Andrews wrote: > In message <51fb9c18.23133.401e...@tmorizot.sd.is.irs.gov>, "Scott Morizot" > wri > tes: > > Hello all, > > > > I ran into an interesting situation resolving dfas.mil. It appears that > > they have attempted to roll their ZSKs to algorithm 8 while le

Re: Validation succeeds when keys with multiple algorithms present, but not RRSIGs for both

In message <51fb9c18.23133.401e...@tmorizot.sd.is.irs.gov>, "Scott Morizot" wri tes: > Hello all, > > I ran into an interesting situation resolving dfas.mil. It appears that > they have attempted to roll their ZSKs to algorithm 8 while leaving their > KSKs on algorithm 7. Unfortunately, RFC 403

Validation succeeds when keys with multiple algorithms present, but not RRSIGs for both

Hello all, I ran into an interesting situation resolving dfas.mil. It appears that they have attempted to roll their ZSKs to algorithm 8 while leaving their KSKs on algorithm 7. Unfortunately, RFC 4035 specifies that if DNSKEYs for multiple algorithms exist in the apex DNSKEY RRset, then an RRS

Re: Internernal view is answering to external ping

- Original Message - > On 1 August 2013 18:58, Lawrence K. Chen, P.Eng. > wrote: > > Did I miss something... what does ICMP ping have anything to do > > with bind? > > Yes, you missed the actual question. The use of the word 'ping' is a > misnomer, what he really meant to say that from