How to validate DNSSEC signed record with dig?
Marc Lampo
marc.lampo at eurid.eu
Mon Feb 6 12:16:00 UTC 2012
Hello,
To be precise :
bind.odvr.dns-oarc.net. validates
but seems to ignore expired (but otherwise valid) signatures.
unbound.odvr.dns-oarc.net. validates without ignoring expired signatures.
Kind regards,
Marc Lampo
Security Officer
EURid vzw/asbl
-----Original Message-----
From: Spain, Dr. Jeffry A. [mailto:spainj at countryday.net]
Sent: 05 February 2012 09:35 PM
To: Nikolay Shaplov
Cc: bind-users at lists.isc.org
Subject: RE: How to validate DNSSEC signed record with dig?
> I am trying to validate DNSSEC signature on ns record using dig.
> Domain nox.su is properly signed using DNSSEC.
> I am trying to validate it as dicribed here:
> http://bryars.eu/2010/08/validating-and-exploring-dnssec-with-dig/
> $ dig +nocomments +nostats +nocmd +noquestion -t dnskey . >
trusted-key.key $ dig +topdown +sigchase nox.su
> but it gives me ";; DSset is missing to continue validation: FAILED"
error while processing the whole hierarchy of zones.
> $ cat /etc/resolv.conf
> # Generated by NetworkManager
> domain router
> search router
> nameserver 8.8.8.8
> nameserver 78.46.213.227
Checking your two name servers, 8.8.8.8 (google-public-dns-a.google.com)
doesn't appear to offer DNSSEC validation, and 78.46.213.227
(rms.coozila.com) doesn't respond to my query at all.
A known-good publicly accessible DNSEC-validating recursive resolver is
available at bind.odvr.dns-oarc.net. If I run "dig @bind.odvr.dns-oarc.net
nox.su +dnssec", I get an AD (authenticated data) flag returned for the A
record with IPv4 address 50.16.193.159. This is a prima facie indication
that DNSSEC is working for nox.su. The "+topdown" option isn't available
to me (bind 9.9.0rc2 version of dig).
Jeffry A. Spain
Network Administrator
Cincinnati Country Day School
More information about the bind-users
mailing list