www.ncbi.nlm.nih.gov / pubmed

Lightner, Jeff jlightner at water.com
Wed Aug 18 12:50:45 UTC 2010 

No problem.  We haven't enabled DNSSEC here yet.   Man for dig says:

"+[no]cdflag
Set [do not set] the CD (checking disabled) bit in the query. 		
This requests the server to not perform DNSSEC validation of responses."

Below are the digs with the +cdflag and +nocdflag:



dig +cdflag www.ncbi.nlm.nih.gov

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> +cdflag
www.ncbi.nlm.nih.gov
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13903
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
;www.ncbi.nlm.nih.gov.          IN      A

;; ANSWER SECTION:
www.ncbi.nlm.nih.gov.   600     IN      CNAME
www.wip.ncbi.nlm.nih.gov.
www.wip.ncbi.nlm.nih.gov. 30    IN      A       130.14.29.110

;; AUTHORITY SECTION:
wip.ncbi.nlm.nih.gov.   2059    IN      NS      gslb01.nlm.nih.gov.
wip.ncbi.nlm.nih.gov.   2059    IN      NS      gslb02.nlm.nih.gov.
wip.ncbi.nlm.nih.gov.   2059    IN      NS      gslb03.nlm.nih.gov.

;; Query time: 48 msec
;; SERVER: 10.0.4.99#53(10.0.4.99)
;; WHEN: Wed Aug 18 08:40:25 2010
;; MSG SIZE  rcvd: 139






dig +nocdflag www.ncbi.nlm.nih.gov

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> +nocdflag
www.ncbi.nlm.nih.gov
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30098
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.ncbi.nlm.nih.gov.          IN      A

;; ANSWER SECTION:
www.ncbi.nlm.nih.gov.   597     IN      CNAME
www.wip.ncbi.nlm.nih.gov.
www.wip.ncbi.nlm.nih.gov. 27    IN      A       130.14.29.110

;; Query time: 5 msec
;; SERVER: 10.0.4.99#53(10.0.4.99)
;; WHEN: Wed Aug 18 08:40:29 2010
;; MSG SIZE  rcvd: 76

-----Original Message-----
From: Phil Mayers [mailto:p.mayers at imperial.ac.uk] 
Sent: Wednesday, August 18, 2010 8:31 AM
To: Lightner, Jeff
Cc: bind-users at lists.isc.org
Subject: Re: www.ncbi.nlm.nih.gov / pubmed

On 18/08/10 13:30, Phil Mayers wrote:
> On 18/08/10 13:15, Lightner, Jeff wrote:
>> It comes right up in Firefox but prompts for a username and password.
>
> Do you have DNSSEC validation enabled? Because as per my email, it's a
> DNSSEC problem.

Damn - in fact sorry, scratch that. I realise my original email said 
nothing of the sort! I blame the stress of moving house ;o)

>
> After a bit of investigation, it seems that the problem is a missing
> NSEC/NSEC3 record in the empty reply for:
>
> $ dig +dnssec @165.112.4.230 ncbi.nlm.nih.gov ds
>
> ...since the "ncbi" zone is an unsigned child zone, there needs to be
an
> NSEC/NSEC3 record to prove the absence of the DS record, and have a
> secure delegation to an unsigned child zone.
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------

More information about the bind-users mailing list