Re: DNSSEC Bogus NXDOMAIN survives authenticating RR

2010-01-25 Thread Niobos
On 2009-12-10 08:49, Niobos wrote: Thank you very much for your help; I'll forward the conversation to the bug-tracking list. Since these are my first DNSSEC experiments, I just wanted to make sure that it wasn't a problem with my understanding of the concept. Niobos This has been confi

Re: DNSSEC Bogus NXDOMAIN survives authenticating RR

2009-12-10 Thread Niobos
Thank you very much for your help; I'll forward the conversation to the bug-tracking list. Since these are my first DNSSEC experiments, I just wanted to make sure that it wasn't a problem with my understanding of the concept. Niobos On 10 Dec 2009, at 00:59, Hauke Lampe wrote: > The signatures

Re: DNSSEC Bogus NXDOMAIN survives authenticating RR

2009-12-09 Thread Hauke Lampe
[I finally gave up on trying to get Thunderbird *not* to wrap long lines. Prefixing them with ">" seems to be the only way, even if confusing] Niobos wrote: >>> dig +dnssec removed.dnssec.dest-unreach.be >> Even though I have added your DNSKEY as trusted key, I get SERVFAIL on >> the first query

Re: DNSSEC Bogus NXDOMAIN survives authenticating RR

2009-12-09 Thread Niobos
>> Could you try this lookup? >> dig +dnssec removed.dnssec.dest-unreach.be > > I see now what you mean. > > Even though I have added your DNSKEY as trusted key, I get SERVFAIL on > the first query and NXDOMAIN on the second, without BIND doing any > additional outgoing queries. This is the same

Re: DNSSEC Bogus NXDOMAIN survives authenticating RR

2009-12-08 Thread Hauke Lampe
Niobos wrote: > As soon as I activate DLV (besides the manual SEP I entered), the "removed" > behaviour changes: > * First lookup still returns SERVFAIL > * Subsequent lookups now return NXDOMAIN with the AD flag *set*! (log > confirms that my domain is not in the DLV and hence is insecure) Tha

Re: DNSSEC Bogus NXDOMAIN survives authenticating RR

2009-12-08 Thread Niobos
On 08 Dec 2009, at 15:18, Hauke Lampe wrote: > Niobos wrote: > >> When requesting a lookup of "removed", I get a SERVFAIL as well. However, >> every subsequent request for "removed" gets an NXDOMAIN. (dig outputs below) >> Flushing the caches on the RR with "rndc flush" causes the first request t

Re: DNSSEC Bogus NXDOMAIN survives authenticating RR

2009-12-08 Thread Hauke Lampe
Niobos wrote: > When requesting a lookup of "removed", I get a SERVFAIL as well. However, > every subsequent request for "removed" gets an NXDOMAIN. (dig outputs below) > Flushing the caches on the RR with "rndc flush" causes the first request to > be a SERVFAIL again. I cannot reproduce this b