www.ncbi.nlm.nih.gov / pubmed
Lightner, Jeff
jlightner at water.com
Wed Aug 18 12:50:45 UTC 2010
No problem. We haven't enabled DNSSEC here yet. Man for dig says:
"+[no]cdflag
Set [do not set] the CD (checking disabled) bit in the query.
This requests the server to not perform DNSSEC validation of responses."
Below are the digs with the +cdflag and +nocdflag:
dig +cdflag www.ncbi.nlm.nih.gov
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> +cdflag
www.ncbi.nlm.nih.gov
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13903
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 0
;; QUESTION SECTION:
;www.ncbi.nlm.nih.gov. IN A
;; ANSWER SECTION:
www.ncbi.nlm.nih.gov. 600 IN CNAME
www.wip.ncbi.nlm.nih.gov.
www.wip.ncbi.nlm.nih.gov. 30 IN A 130.14.29.110
;; AUTHORITY SECTION:
wip.ncbi.nlm.nih.gov. 2059 IN NS gslb01.nlm.nih.gov.
wip.ncbi.nlm.nih.gov. 2059 IN NS gslb02.nlm.nih.gov.
wip.ncbi.nlm.nih.gov. 2059 IN NS gslb03.nlm.nih.gov.
;; Query time: 48 msec
;; SERVER: 10.0.4.99#53(10.0.4.99)
;; WHEN: Wed Aug 18 08:40:25 2010
;; MSG SIZE rcvd: 139
dig +nocdflag www.ncbi.nlm.nih.gov
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> +nocdflag
www.ncbi.nlm.nih.gov
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30098
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.ncbi.nlm.nih.gov. IN A
;; ANSWER SECTION:
www.ncbi.nlm.nih.gov. 597 IN CNAME
www.wip.ncbi.nlm.nih.gov.
www.wip.ncbi.nlm.nih.gov. 27 IN A 130.14.29.110
;; Query time: 5 msec
;; SERVER: 10.0.4.99#53(10.0.4.99)
;; WHEN: Wed Aug 18 08:40:29 2010
;; MSG SIZE rcvd: 76
-----Original Message-----
From: Phil Mayers [mailto:p.mayers at imperial.ac.uk]
Sent: Wednesday, August 18, 2010 8:31 AM
To: Lightner, Jeff
Cc: bind-users at lists.isc.org
Subject: Re: www.ncbi.nlm.nih.gov / pubmed
On 18/08/10 13:30, Phil Mayers wrote:
> On 18/08/10 13:15, Lightner, Jeff wrote:
>> It comes right up in Firefox but prompts for a username and password.
>
> Do you have DNSSEC validation enabled? Because as per my email, it's a
> DNSSEC problem.
Damn - in fact sorry, scratch that. I realise my original email said
nothing of the sort! I blame the stress of moving house ;o)
>
> After a bit of investigation, it seems that the problem is a missing
> NSEC/NSEC3 record in the empty reply for:
>
> $ dig +dnssec @165.112.4.230 ncbi.nlm.nih.gov ds
>
> ...since the "ncbi" zone is an unsigned child zone, there needs to be
an
> NSEC/NSEC3 record to prove the absence of the DS record, and have a
> secure delegation to an unsigned child zone.
Proud partner. Susan G. Komen for the Cure.
Please consider our environment before printing this e-mail or attachments.
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------
More information about the bind-users
mailing list