DNSSEC, whitehouse, isc, and troubleshooting...
Evan Hunt
each at isc.org
Mon Apr 18 18:07:03 UTC 2011
On Mon, Apr 18, 2011 at 10:51:04AM -0700, John Williams wrote:
> From my signed domain when I query www.isc.org (w/ +dnssec) I get the ad
> flag as expected. I don't see that flag when I query whitehouse.gov (w/
> +dnssec) and I know that zone is signed.
>
> Is anyone else seeing this behavior? Also, is there a link that
> addresses troubleshooting or diagnosing DNSSEC based queries?
My guess is you're looking at www.whitehouse.gov, which is a CNAME to
www.whitehouse.gov.edgesuite.net, which isn't signed, so the ad flag
is unset. Try "dig +dnssec ns whitehouse.gov" and you should see
the ad flag. (Anyway, it's working for me at the moment.)
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list