proper setup of dnssec-validation to _always_ resolve, and retrieve DATA and status flags ?
dchilton+bind at bestmail.us
dchilton+bind at bestmail.us
Tue May 10 05:47:58 UTC 2011
On Tue, 10 May 2011 15:32 +1000, "Mark Andrews" <marka at isc.org> wrote:
>
> "date -u" on the nameserver. It is "Tue 10 May 2011 05:32:13 UTC"
> as I send this.
here,
date -u
Mon May 9 22:34:59 UTC 2011
hrm? not good :-/
switch time server daemon to a known signed domain (clock.isc.org)
service ntp restart
...
9 May 15:36:50 sntp[7762]: Started sntp
2011-05-09 15:36:55.874669 (+0800) +25198.977371 +/- 0.004883 secs
Time synchronized with clock.isc.org
Starting network time protocol daemon
(NTPD)
done
...
date -u
Tue May 10 05:37:43 UTC 2011
looks like problems with name resolution of time servers @ ntp startup?
i'll dig further. in any case ... with this corrected,
dig pir.org +dnssec
; <<>> DiG 9.8.0-P1 <<>> pir.org +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50128
--> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5,
ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pir.org. IN A
;; ANSWER SECTION:
pir.org. 272 IN A 173.201.238.128
pir.org. 272 IN RRSIG A 5 2 300
20110523085011 20110509085011 38939 pir.org.
LLK3y1HXm3/F3Tvq/b/cW4jnQC6gxtYlalPhM28w3tUzo2wS482vaWQr
RF1DBvGTUD4uADNidjaftjkch7b2H1b+e5V4o0xQml/WpqCW/VqgLgxI
g/yIg9WhP1Ec8uvWG2Ojy0ZIM0JKBBfFFlIxZVYqCyrY8WittyUOFlwo O48=
;; AUTHORITY SECTION:
pir.org. 271 IN NS
ns1.yyz1.afilias-nst.info.
pir.org. 271 IN NS
ns1.ams1.afilias-nst.info.
pir.org. 271 IN NS
ns1.mia1.afilias-nst.info.
pir.org. 271 IN NS
ns1.sea1.afilias-nst.info.
pir.org. 271 IN RRSIG NS 5 2 300
20110523085011 20110509085011 38939 pir.org.
yUKJARGNwBWKFTi1V1nU5x38vcQrYPSn86G5MzjyMBjUWwZ3zZ4E+OMz
P8svjTEdwKd6ibQGAp7aVEcqE3ruCnioqaXCZJsjT6YCaTpIjUMmRvpj
tZUByl11+aqfcJuvfTNOo2PFtzRDv46vAlbZFf74fAK4AwNQa42OZlZC WVc=
;; Query time: 1 msec
;; SERVER: 10.10.10.100#53(10.10.10.100)
;; WHEN: Mon May 9 22:42:05 2011
;; MSG SIZE rcvd: 494
dig www.adobe.com
; <<>> DiG 9.8.0-P1 <<>> www.adobe.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33802
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2,
ADDITIONAL: 0
;; QUESTION SECTION:
;www.adobe.com. IN A
;; ANSWER SECTION:
--> www.adobe.com. 3600 IN CNAME
www.wip4.adobe.com.
www.wip4.adobe.com. 30 IN A 192.150.16.60
;; AUTHORITY SECTION:
wip4.adobe.com. 3600 IN NS
da1gtm001.adobe.com.
wip4.adobe.com. 3600 IN NS
3dns-5.adobe.com.
;; Query time: 862 msec
;; SERVER: 10.10.10.100#53(10.10.10.100)
;; WHEN: Mon May 9 22:40:34 2011
;; MSG SIZE rcvd: 115
dig www.adobe.com +dnssec
; <<>> DiG 9.8.0-P1 <<>> www.adobe.com +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6020
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2,
ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.adobe.com. IN A
;; ANSWER SECTION:
--> www.adobe.com. 3595 IN CNAME
www.wip4.adobe.com.
www.wip4.adobe.com. 25 IN A 192.150.16.60
;; AUTHORITY SECTION:
wip4.adobe.com. 3595 IN NS
da1gtm001.adobe.com.
wip4.adobe.com. 3595 IN NS
3dns-5.adobe.com.
;; Query time: 1 msec
;; SERVER: 10.10.10.100#53(10.10.10.100)
;; WHEN: Mon May 9 22:40:39 2011
;; MSG SIZE rcvd: 126
looks good, right?
was this simply a wrong-time artifact? or is there something else up?
DCh
More information about the bind-users
mailing list