Re: Question about DNSSEC

Thanks guys! As usual, you've taught me an invaluable lesson. Regards, Bob On Fri, Nov 1, 2024 at 11:42 AM Evan McKinney wrote: > Even with a CNAME record, the delv command will validate each step of the > resolution. You can use the +vtrace option to see each validation and > +mtrace to see

Re: Question about DNSSEC

Sorry, I get the DO and AD flags confused. I see now that DIG is telling me that somewhere in the chain there is an entry that is not validated. I was doing everything manually. And yes, I saw that DELV runs the chain. Thanks again, Bob -- Visit https://lists.isc.org/mailman/listinfo/bind-user

Re: Question about DNSSEC

Even with a CNAME record, the delv command will validate each step of the resolution. You can use the +vtrace option to see each validation and +mtrace to see each individual message. -Evan Get BlueMail for Desktop Ondřej Surý wrote: DO flag is indication to “do DNSSEC”, it

Re: Question about DNSSEC

DO flag is indication to “do DNSSEC”, it has no other meaning. You should be looking for AD flag.As for delv output - it prints out which names are validated and those that are not. I don’t see anything wrong here.--Ondřej Surý — ISC (He/Him)My working hours and your working hours may be different.

Re: Question about DNSSEC

The host is www.irs.gov. A further question. DIG sets the DO flag even though the second and third entries in the CNAME chain are not signed. There's basically no indication that there's really any issue. DELV indicates the host as "fully validated" then flags the second entry in the CNAME chain

Re: Question about DNSSEC

Hi there, On Thu, 31 Oct 2024, Crist Clark wrote: Name names. DNS is out there in public. There are a LOT of US .gov sites where the .gov is all signed, but it ends up in $BIGCLOUDPROVIDER that is not. www.gsa.gov www.state.gov www.house.gov www.senate.gov www.cia.gov www.cisa.gov (*ehem*) ww

Re: Question about DNSSEC

Name names. DNS is out there in public. There are a LOT of US .gov sites where the .gov is all signed, but it ends up in $BIGCLOUDPROVIDER that is not. www.gsa.gov www.state.gov www.house.gov www.senate.gov www.cia.gov www.cisa.gov (*ehem*) www.get.gov (not even .gov is signed?!) Same thing for

Re: Question about DNSSEC

> On 1 Nov 2024, at 09:15, Bob McDonald wrote: > > If a host is defined as a CNAME chain where the domain of the host is DNSSEC > signed but the domain(S) of the target(s) in the CNAME chain are not, does > that mean that the entry really isn't DNSSEC protected? Correct. Every element of t

Re: question about DNSSEC with PKCS11

1. since I use HSM(now is softhsm) to store the DNSSEC key, does it more insecure to convert the key(s) from HSM to .private file with dnssec-keyfromlabel ? keys are not actually 'converted' with this utility; instead the .private file links to the corresponding private (and typically unexportab

Re: question about DNSSEC with PKCS11

Hi, The KB article was written before dnssec-policy. Unfortunately, OpenSSL with engine_pkcs11 does not support creating keys. So if you want to use an HSM with dnssec-policy, you will need to create the keys yourself and you can then import them in the key-directory with dnssec-keyfromlabel.