Additionally you can detect a DNSSEC failure by asking
queries with and without the CD bit set.
Most DNSSEC failures can be diagnosed with dig, knowing the
current time and date and access to named.conf for the trust
anchors. There are actually easier to diagnose than most
other DNS failure issues.
Most DNSSEC failure fall into these categories:
* failure to re-sign, check the dates in the RRSIG records.
* failute to roll a key correctly. check the key id match.
dig +multi will print out the key id for KEY and DNSKEY
records.
To find the failure you ask the failing server for the records
in the trust chain until you find the break point.
record -> dnskey [ [ -> ds/dlv -> dnskey ] ..... ] -> trusted-key.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [email protected]
_______________________________________________
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
