Validating a DNSSEC installation

Erik Lotspeich erik at lotspeich.org
Sat Jun 13 11:59:29 UTC 2009 

Hi Hauke,

I now get the AD flag when querying external validating resolvers such
as the ones you mention.

I believe that my BIND is configured properly to be a validating
resolver as well:

# dig +adflag @ns.lotspeich.org. isc.org.

; <<>> DiG 9.6.1 <<>> +adflag @ns.lotspeich.org. isc.org.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62029
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
[snip]

Is it normal that a validating resolver can't validate a domain it is
authoritative for?

# dig +adflag @ns.lotspeich.org. lotspeich.org.

; <<>> DiG 9.6.1 <<>> +adflag @ns.lotspeich.org. lotspeich.org.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1087
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
[snip]

I don't get the AD flag here.

Thanks again,

Erik.

Hauke Lampe wrote:
> Erik Lotspeich wrote:
> 
>> I have registered with the ISC's DLV registry.  I am
>> having trouble finding the best way for me to validate that my setup is
>> working and that my zone validates.
> 
> dlv.isc.org doesn't list your keys yet. It can take a day or two for DLV
> records to appear after your DNSKEY and cookie records have been
> checked. If you just added the zone to dlv.isc.org and it still shows a
> "pending validation" state, try "request re-check" in the DNSKEY Details
> section to force immediate validation.
> 
> Once your DLV record shows up, you may query external validating
> resolvers and see if they set the AD flag in response. OARC operates
> resolvers validating against dlv.isc.org. See their website at:
> https://www.dns-oarc.net/oarc/services/odvr
> 
> dig +adflag lotspeich.org @149.20.64.20
> dig +adflag lotspeich.org @149.20.64.21
> 
> A successful validation should look like this:
> [...]
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6841
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> [...]              ^^
> 
> Future reference: Once .org completes their testing phase *and* your
> registrar allows you to register DS records for your domain, queries
> should also return AD when validated against the ITAR trust anchor
> repository (at https://itar.iana.org/):
> 
> dig +adflag lotspeich.org @149.20.64.22
> 
> I also run a somewhat-public resolver using the dnssec.iks-jena.de DLV
> (http://www.iks-jena.de/leistungen/dnssec.php):
> 
> dig +adflag lotspeich.org @85.10.240.255
> 
> 
> 
> Hauke.
> 
> 
_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list