Thanks Casey! The link to dnsviz.net also explains part of why I was getting confused. It appears that there are not any DS records at the root (yet?) for the .gov level. This explains why when I did a dig with +sigchase +topdown options it was failing to validate way earlier in the chain. I was only using the root trusted key in my /etc/trusted-key.key file for dig while the server itself is using DLV to validate down the chain until it gets to the missing DNSKEY record.
On 09/15/2010 10:05 AM, Casey Deccio wrote: > On Wed, Sep 15, 2010 at 7:34 AM, Timothy Holtzen <t...@nebrwesleyan.edu> > wrote: >> I am having trouble resolving the host name cod.ed.gov which I believe >> may be dnssec related > ... > >> in my logs I am getting the messages: >> >> validating @0x2ab727eb5810: cod.ed.gov A: got insecure response; parent >> indicates it should be secure >> dnssec: info: validating @0x2ab727eb5810: cod.ed.gov A: got insecure >> response; parent indicates it should be secure >> error (insecurity proof failed) resolving 'cod.ed.gov/A/IN': 63.150.74.34#53 >> > There are DS RRs for cod.ed.gov in the parent zone (ed.gov), > indicating that cod.ed.gov should be signed with a DNSKEY > corresponding to the existing DS RR. However, cod.ed.gov is not > signed, particularly not with the DNSKEY corresponding to the DS RR, > which DNSKEY doesn't seem to exist in the zone at all. > http://dnsviz.net/d/cod.ed.gov/dnssec/ > > To remedy the issue, the ed.gov administrators should remove the DS RR > for cod.ed.gov from the ed.gov zone, which will make cod.ed.gov an > insecure delegation (meaning that it can continue to be unsigned). If > desired, the zone can then be resigned, and the appropriate DS RRs > added to the parent. > > I can send them a note off-list. > > Regards, > Casey > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Timothy A. Holtzen Campus Network Administrator Nebraska Wesleyan University _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users