how can i recognize dnssec servers
Paul Wouters
paul at cypherpunks.ca
Wed Apr 25 16:52:48 UTC 2012
On Wed, 25 Apr 2012, William SAMEN wrote:
> Hi, all Bind'ers
> i'm just trying to write a bash script which allow me to collect a list of zones which are signed with dnssec by giving a file of request in argument.
> So my problem is that i created my personnal DNS with 3 signed zones when i'm testing all is good but when i made a dig +dnssec on gandi.net domain (for example) my dns server didn't return me a RRSIG in the answer section is it ok?
> Did you think i had a mistake on my named configuration? recursion is working very well but
> how can i do to know that a zone or domain has been signed? a dig +dnssec is the best or the only way to know that?
Assuming your system uses a DNSSEC configured resolver with the root
key , and with "signed" you really mean "secure" (that is with a DS or
DLV trust path), you can use:
[paul at thinkpad ~]$ dig +dnssec nohats.ca|grep flags |grep "ad;"
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 7
[paul at thinkpad ~]$ echo $?
0
[paul at thinkpad ~]$ dig +dnssec foobar.ca|grep flags |grep "ad;"
[paul at thinkpad ~]$ echo $?
1
Paul
> Thank's for your help!!!
>
>
> William Thierry SAMEN
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
More information about the bind-users
mailing list