Dnssec-validation auto
Ismael Suarez
Ismael_Suarez at coqui.com
Fri Nov 13 12:59:32 UTC 2020
With "dnssec-validation AUTO;" I get:
# delv +cd www.popularsba.com
;; resolution failed: timed out
With "dnssec-validation NO;" I get:
# delv +cd www.popularsba.com
;; resolution failed: timed out
; unsigned answer
www.popularsba.com. 279 IN CNAME www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com.
CAPS just to show the difference in .conf
--
Ismael Suárez Maldonado | UNIX ADM | Coqui.Net Corp / ClaroTV
ismael_suarez at coqui.com<mailto:ismael_suarez at coqui.com> | T: 787-793-0001 x 4007
-----Original Message-----
From: Petr Menšík <pemensik at redhat.com<mailto:Petr%20%3d%3fUTF-8%3fQ%3fMen%3dC5%3dA1%3dC3%3dADk%3f%3d%20%3cpemensik at redhat.com%3e>>
To: bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
Subject: Re: Dnssec-validation auto
Date: Fri, 13 Nov 2020 11:26:17 +0100
Hi Ismael,
easiest way to check validation is using delv tool from BIND 9.11+. It
uses the same algorithm as BIND server does. If you get SERVFAIL from
your recursive server, try adding +cd parameter to delv or dig. When it
works with +cd, validation is responsible somewhere in recursive servers
chain.
It shows just unsigned to me, today.
$ delv +cd
<http://www.popularsba.com>
www.popularsba.com
; unsigned answer
<http://www.popularsba.com>
www.popularsba.com
. 282 IN CNAME
<http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com>
www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com
.
<http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com>
www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com
. 282 IN CNAME
4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com.
4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com. 102 IN A
161.71.31.253
Cheers,
Petr
On 11/13/20 5:26 AM, Ismael Suarez wrote:
Hi all
The following domain (
<http://www.popularsba.com>
www.popularsba.com
) does not resolve with dnssec validation set to auto, but when I change the validation off it works.
Why is this? How can I check this validation?
Using bind 9.12
Thanks to all
_______________________________________________
Please visit
<https://lists.isc.org/mailman/listinfo/bind-users>
https://lists.isc.org/mailman/listinfo/bind-users
to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at
<https://www.isc.org/contact/>
https://www.isc.org/contact/
for more information.
bind-users mailing list
<mailto:bind-users at lists.isc.org>
bind-users at lists.isc.org
<https://lists.isc.org/mailman/listinfo/bind-users>
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit
<https://lists.isc.org/mailman/listinfo/bind-users>
https://lists.isc.org/mailman/listinfo/bind-users
to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at
<https://www.isc.org/contact/>
https://www.isc.org/contact/
for more information.
bind-users mailing list
<mailto:bind-users at lists.isc.org>
bind-users at lists.isc.org
<https://lists.isc.org/mailman/listinfo/bind-users>
https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list