Question about resolver
J Doe
general at nativemethods.com
Fri Apr 26 14:45:14 UTC 2024
On 2024-04-25 08:55, Josh Kuo wrote:
> DS = Delegation Signer, it is the record type that a signed child upload
> to the parent zone. It's difficult to say for sure without more
> information such as which domain name you are trying to resolve, but
> looks like it is probably due to a mis-matching DS record between the
> child and the parent (security lameness).
>
> You can use tools such as
> https://dnssec-analyzer.verisignlabs.com/online
> <https://dnssec-analyzer.verisignlabs.com/online> to help you analyze
> further. If you need to refresh your knowledge on how DNSSEC works, see
> the ISC DNSSEC Guide:
> https://bind9.readthedocs.io/en/v9.18.14/dnssec-guide.html
> <https://bind9.readthedocs.io/en/v9.18.14/dnssec-guide.html>
>
> -Josh
Hi Josh,
Thank you for your prompt reply!
In this particular case, isn't the resolver attempting to do a reverse
lookup of the IP address that's listed ?
Secondly, I'm still not entirely sure what the phrasing "chase DS
servers" means. I am aware of the DS RR type.
As a side-note: I believe the "lame-servers" here is a function of me
configuring QNAME minimization to "relaxed".
Thanks,
- J
More information about the bind-users
mailing list