DNSSEC problem with our zone
Bjørn Mork
bjorn at mork.no
Wed May 18 21:34:38 UTC 2022
Mirsad Goran Todorovac <mirsad.todorovac at alu.unizg.hr> writes:
> Dear All,
>
> In the past three days I have just made our domain DNSSEC
> signed. However, I seem to be missing something.
>
> When I query other DNS servers, like CloudFlare 1.0.0.1, I get the
> "ad" flag.
>
> But in my own domain, and my own domain servers, the "ad" flag is
> still missing:
>
> root at domac:/var/cache/bind# dig -u @161.53.235.3 domac.alu.hr a
> +dnssec +multiline
>
> ; <<>> DiG 9.11.5-P4-5.1+deb10u7-Debian <<>> -u @161.53.235.3
> domac.alu.hr a +dnssec +multiline
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5934
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
This is normal and expected. You don't get validation on the
authoritative servers. So if you see aa then there will be no ad.
Just check a few other signed zones and you'll see the same there.
Bjørn
More information about the bind-users
mailing list