crypto-validated?

[Jim Reid]

>>>>> "fred" == fred pasteck <fred_pasteck at yahoo.com> writes:

    >> A strong hash is generated for each resource record after it is
    >> put into canonical form. The hash is then signed with the
    >> private key or keys to produce SIG records => a signed version
    >> of the zone file. This is done off-line by dnssec-signzone and
    >> friends in BIND9.

    fred> The part I don't understand is that this is a bind8 server,
    fred> not bind9. I'll have to investigate that a bit further to be
    fred> sure.

Support for DNSSEC is also in later versions of BIND8. IIRC the 8.2
release was the first to include DNSSEC. The tools for signing zones
in BIND8 were not as good or robust as those in BIND9.

It could be possible that the server is not DNSSEC aware. Sometimes
the AD bit is left untouched when the server sends out a reply. Say in
servers that don't do DNSSEC and therefore assume there's no need to
inspect or set/reset that bit. So if you send a query with the AD bit
set, the answer could come back with it still set because the name
server simply didn't care about that header bit.