I suspect that the DNSKEY record for the root will be marked as a
'answer' rather than 'secure' (rndc dumpdb) and flushing the cache
will fix the issue as will waiting ~30703 seconds. 'rndc flushname .'
should also work though I forget where we added flushname.
Mark
In message <005701d0ae2f$ef2
Here you go:
root@nagios:/etc/bind# dig @127.0.0.1 +dnssec +cd ds com; dig @127.0.0.1
+dnssec +cd dnskey .
; <<>> DiG 9.7.3 <<>> @127.0.0.1 +dnssec +cd ds com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38536
;; flags: qr rd ra cd;
Should have asked for +dnssec on those queries. Also "date -u".
In message <005601d0ae2c$b698b6c0$23ca2440$@iname.com>, "Frank Bulk" writes:
> Mark,
>
> Sorry for top-posting -- my email client makes it difficult to do otherwise.
>
> Yes, I'm absolutely sure there's no software or physical fi
Mark,
Sorry for top-posting -- my email client makes it difficult to do otherwise.
Yes, I'm absolutely sure there's no software or physical firewall (we're an
ISP), and there's also no load-balancer in front of this box. I've also
used the EDNS tests and I can get a 4000+ byte response. There's
In message <003d01d0ae24$682fc080$388f4180$@iname.com>, "Frank Bulk" writes:
> I'm running BIND 9.7.3 on Debian and having trouble configuring DNSSEC
> validation.
>
> I'm using the excellent guides at
> http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html#easy-start-guide-
> for-recursiv
I'm running BIND 9.7.3 on Debian and having trouble configuring DNSSEC
validation.
I'm using the excellent guides at
http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html#easy-start-guide-
for-recursive-servers and
https://www.surf.nl/binaries/content/assets/surf/en/knowledgebase/2012/rappo
6 matches
Mail list logo
