On Tue, Nov 9, 2010 at 8:10 PM, Brian J. Murrell <br...@interlinx.bc.ca> wrote: > The only written to that file when one of those broken chain lookups happen > is: > > dnssec: validating @0x2295e9b0: 41.70.55.206.sa-trusted.bondedsender.org TXT: > starting > dnssec: validating @0x2295e9b0: 41.70.55.206.sa-trusted.bondedsender.org TXT: > attempting negative response validation > dnssec: validator @0x2295e9b0: dns_validator_destroy > > The dig query that produced that: > > $ dig @linux -p 1053 41.70.55.206.sa-trusted.bondedsender.org txt >
What happens when you run the following queries: dig +dnssec @linux -p 1053 org SOA Do you get a NOERROR response with the AD bit set? dig +dnssec @linux -p 1053 bondedsender.org DS Do you get a NOERROR response with AD bit set and NSEC3 RRs and their covering RRSIGs? Casey _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users