DNSSEC, whitehouse, isc, and troubleshooting...
Chris Thompson
cet1 at cam.ac.uk
Mon Apr 18 18:50:28 UTC 2011
On Apr 18 2011, Evan Hunt wrote:
>On Mon, Apr 18, 2011 at 10:51:04AM -0700, John Williams wrote:
>> From my signed domain when I query www.isc.org (w/ +dnssec) I get the ad
>> flag as expected. I don't see that flag when I query whitehouse.gov (w/
>> +dnssec) and I know that zone is signed.
>>
>> Is anyone else seeing this behavior? Also, is there a link that
>> addresses troubleshooting or diagnosing DNSSEC based queries?
>
>My guess is you're looking at www.whitehouse.gov, which is a CNAME to
>www.whitehouse.gov.edgesuite.net, which isn't signed, so the ad flag
>is unset. Try "dig +dnssec ns whitehouse.gov" and you should see
>the ad flag. (Anyway, it's working for me at the moment.)
Or even "dig +dnssec cname www.whitehouse.gov". The CNAME is signed,
its target isn't.
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list