stub zone and dnssec processing fails?
Paul Wouters
paul at xelerance.com
Fri Oct 2 02:47:13 UTC 2009
On Fri, 2 Oct 2009, Mark Andrews wrote:
>> zone "ca." IN {
>> type stub;
>> masters { 192.228.22.190; 192.228.22.189; };
>> };
> To make the test signed ca work you need to replace the NS RRet
> with the names of the nameservers that serve the signed CA zone.
> At the moment you end up with those that server unsigned content
> which is correctly rejected. Stubs pre-populate the delegation,
> they do not override the delegation.
It seems that using a forward type zone does work:
zone "ca." IN {
type forward;
forwarders { 66.241.135.248; 193.110.157.136; };
};
dig +dnssec -t ds xelerance.ca. @localhost
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 12, ADDITIONAL: 1
I had tried it before and it failed. Must have been an operator error.
Paul
More information about the bind-users
mailing list