Dnssec-validation auto

Petr Menšík pemensik at redhat.com
Fri Nov 13 10:26:17 UTC 2020 

Hi Ismael,

easiest way to check validation is using delv tool from BIND 9.11+. It
uses the same algorithm as BIND server does. If you get SERVFAIL from
your recursive server, try adding +cd parameter to delv or dig. When it
works with +cd, validation is responsible somewhere in recursive servers
chain.

It shows just unsigned to me, today.

$ delv +cd www.popularsba.com
; unsigned answer
www.popularsba.com.	282	IN	CNAME
www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com.
www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com. 282 IN CNAME
4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com.
4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com. 102	IN A
161.71.31.253

Cheers,
Petr

On 11/13/20 5:26 AM, Ismael Suarez wrote:
> Hi all
> 
> The following domain (www.popularsba.com) does not resolve with dnssec validation set to auto, but when I change the validation off it works.
> 
> Why is this? How can I check this validation?
> 
> Using bind 9.12
> 
> Thanks to all
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x4931CA5B6C9FC5CB_and_old_rev.asc
Type: application/pgp-keys
Size: 9364 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201113/0c3212a7/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201113/0c3212a7/attachment-0001.bin>

More information about the bind-users mailing list