9.9.0rc1: example from arm 4.8.3 does not validate
David Forrest
drf at maplepark.com
Thu Jan 19 16:11:26 UTC 2012
On Thu, 19 Jan 2012, Axel Rau wrote:
>
> Am 18.01.2012 um 23:54 schrieb Evan Hunt:
>
>>> I tried the example from page 23 with a local zone, a trusted key and
>>> inline-signing, like:
>>> [...]
>>> But I'm getting no ad-flag:
>>
>> That's normal; authoritative servers don't set the AD bit, validating
>> resolvers do. (There's not much point in having an authoritative server
>> validate its own answers.)
> Can dig tell me, if the sigs are valid, if I provide my trusted key?
> Or do I need a 2nd (validating) ns?
>
> Axel
One needs to ask a non-authoritative validating server. For checking our
publicly available DNSSEC signed site, I use the available recursing
validating oarc server.
dig +dnssec @bind.odvr.dns-oarc.net maplepark.com
and get the flags returned in a crontab script that checks it daily for
the ad flag.
Dave
--
David Forrest e-mail drf @ maplepark.com
Maple Park Development Corporation http://xen.maplepark.com
St. Louis, Missouri
More information about the bind-users
mailing list