Adding DS records
Mark Andrews
marka at isc.org
Fri Dec 20 22:01:03 UTC 2013
In message <alpine.LRH.2.03.1312201229270.18164 at maplepark.com>, David Forrest writes:
> On Fri, 20 Dec 2013, Steven Carr wrote:
>
> > On 20 December 2013 18:10, pgndev <pgnet.dev at gmail.com> wrote:
> >> Gandi.net
> >> Great support, including DNSSEC:
> >
> > Gandi only support DNSSEC if you host the DNS elsewhere, their DNS
> > servers do not support DNSSEC.
> >
> > Steve
> gandi.net +1
>
> I transferred from NS to Gandhi in December 1998. I don't know about their
> hosting of primary DNS but they do host a secondary of mine and it seems
> to resolve there with an aa flag:
>
> ; <<>> DiG 9.10.0a1 <<>> -t rrsig @ns6.gandi.net maplepark.com +norec
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64272
> ;; flags: qr aa; QUERY: 1, ANSWER: 11, AUTHORITY: 5, ADDITIONAL: 3
You don't test for dnssec support by requesting rrsigs. Nameservers
can return rrsigs without supporting dnssec.
You test for dnssec support by doing a request for something else
with "do=1" set (+dnssec) and seeing if rrsig, nsec/nsec3/ds records
are returned along with the rest of the response.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list