I think the issue here is that the authenticity of an RRSIG RR doesn't
really make sense without the RRset it covers, and RRSIG themselves
are not signed (RFC 4035 section 2.2). The RRSIGs returned by the
cache are there initially because they exist (as well as the RRsets
they cover), but not beca
Using the ORG trust anchor from the ITAR yields the following result on
9.7.1 (no P1 patch). No initial time out.
# dig +dnssec -t RRSIG www.forfunsec.org
; <<>> DiG 9.7.1 <<>> +dnssec -t RRSIG www.forfunsec.org
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
; EDNS: version
On Wed, 14 Jul 2010, Chris Thompson wrote:
>
> With 9.7.1-P1 (and a trust anchor for dlv.isc.org) on a local workstation
>
> dig +dnssec -t RRSIG www.forfunsec.org @127.0.0.1
>
> initially times out. But after doing
>
> dig +dnssec -t ANY www.forfunsec.org @127.0.0.1
>
> the same command reports
Using bind 9.7.1. w/ IANA test bed and not DLV:
dig +dnssec rrsig www.iis.se
; <<>> DiG 9.7.1 <<>> +dnssec rrsig www.iis.se
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49621
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT
On Jul 13 2010, Doug Barton wrote:
On Tue, 13 Jul 2010, Marco Davids (SIDN) wrote:
Hi,
Can anyone explain to me why the 'ad'-flag is set for this query?
dig +dnssec -t RRSIG www.forfunsec.org
I'm using 9.7.1-P1 with dlv and I'm not seeing the AD flag on that. What
version of BIND are you
On 07/14/10 00:43, Doug Barton wrote:
Can anyone explain to me why the 'ad'-flag is set for this query?
dig +dnssec -t RRSIG www.forfunsec.org
>>>
>> I use BIND 9.7.0rc1, configured to work with the IANA testbed.
> I'd be interested to see what happens if you upgrade to the latest
On Wed, 14 Jul 2010, Marco Davids (SIDN) wrote:
On 07/13/10 23:58, Doug Barton wrote:
Can anyone explain to me why the 'ad'-flag is set for this query?
dig +dnssec -t RRSIG www.forfunsec.org
I'm using 9.7.1-P1 with dlv and I'm not seeing the AD flag on that. What
version of BIND are you usi
On 07/13/10 23:58, Doug Barton wrote:
>> Can anyone explain to me why the 'ad'-flag is set for this query?
>>
>> dig +dnssec -t RRSIG www.forfunsec.org
>
> I'm using 9.7.1-P1 with dlv and I'm not seeing the AD flag on that. What
> version of BIND are you using?
>
Hi Doug,
I use BIND 9.7.0rc1,
On Tue, 13 Jul 2010, Marco Davids (SIDN) wrote:
Hi,
Can anyone explain to me why the 'ad'-flag is set for this query?
dig +dnssec -t RRSIG www.forfunsec.org
I'm using 9.7.1-P1 with dlv and I'm not seeing the AD flag on that. What
version of BIND are you using?
Doug
--
Improve t
Hi,
Can anyone explain to me why the 'ad'-flag is set for this query?
dig +dnssec -t RRSIG www.forfunsec.org
How does a validating resolver determine that such an answer is secure?
Thank you.
--
Marco Davids
___
bind-users mailing list
bind-users@li
10 matches
Mail list logo
