dig -- only RRSIG present.
dE .
de.techno at gmail.com
Mon Feb 13 12:28:31 UTC 2012
On 02/13/12 11:00, Spain, Dr. Jeffry A. wrote:
>> Using this DNS server, I'm still not getting the DNSKEY for any DNSSEC capable domain; infact this server has issues -
>> dig +dnssec -t A dnssec.net @bind.odvr.dns-oarc.net.
>> I'd be really happy if I could get some domains which are signed.
> Try this one: dig @bind.odvr.dns-oarc.net. isc.org +dnssec
> You should get an AD flag returned and a variety of RRSIG records. Jeff.
I hope I'm not missing any concepts here, but there should be a public
key to verify the RRSIG, where's that? Shouldn't the server return
additional DNSKEY records?
Also if I replace bind.odvr.dns-oarc.net. with one of the root
nameservers, why is it that AD flag is not set? The root nameservers are
DNSSEC capable.
More information about the bind-users
mailing list