Bill Owens <ow...@nysernet.org> wrote: > > However, in this case I believe your problem is the lack of NS records > in nau.edu for extended.nau.edu. It's difficult to know for sure, but it > appears that the only signature for the NS RRSET is using the ZSK for > extended.nau.edu, not the ZSK for nau.edu.
This is normal. DNSSEC does not sign delegation RRsets (NS records and glue A and AAAA records) because they are part of the child zone. DS records are special because although they live at the name of the child zone, they are considered part of the parent zone and are therefore signed by the parent, which forms a link in the chain of trust. For example, <<>> DiG 9.9.0a2 <<>> +dnssec ns cam.ac.uk. @ns0.ja.net. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1490 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 10, ADDITIONAL: 9 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;cam.ac.uk. IN NS ;; AUTHORITY SECTION: cam.ac.uk. 86400 IN NS authdns1.csx.cam.ac.uk. cam.ac.uk. 86400 IN NS authdns0.csx.cam.ac.uk. cam.ac.uk. 86400 IN NS dns1.cl.cam.ac.uk. cam.ac.uk. 86400 IN NS bitsy.mit.edu. cam.ac.uk. 86400 IN NS ns2.ic.ac.uk. cam.ac.uk. 86400 IN NS dns0.eng.cam.ac.uk. cam.ac.uk. 86400 IN NS dns0.cl.cam.ac.uk. cam.ac.uk. 86400 IN DS 5998 5 1 4FC806508D1FA1FE40AAF366A9180E052331D574 cam.ac.uk. 86400 IN DS 5998 5 2 B398A3523E2D6A10C0C3B349FA7AD0639551950F2FBD9E82A6B69370 C2725548 cam.ac.uk. 86400 IN RRSIG DS 8 3 86400 20111029080710 20110929080710 20880 ac.uk. PjKjwnwTrMin9srEn5t+2LZhwRzndokxJit/0339LhaGhtrB7Mr7Jo5M 5D2nqYdJr2oo7LXIN90p1RLitHVQrP05B6G8jyjJZJhPB6UlWMfvdIuQ k+FClgxnvWLBraXLdVWGmrMbp08i63KoYnBbtWOJEmts9CPnKMXLOtji 1K8= ;; ADDITIONAL SECTION: ns2.ic.ac.uk. 86400 IN A 155.198.142.82 dns0.cl.cam.ac.uk. 86400 IN A 128.232.0.19 dns0.eng.cam.ac.uk. 86400 IN A 129.169.8.8 dns1.cl.cam.ac.uk. 86400 IN A 128.232.0.18 authdns0.csx.cam.ac.uk. 86400 IN A 131.111.8.37 authdns0.csx.cam.ac.uk. 86400 IN AAAA 2001:630:212:8::d:a0 authdns1.csx.cam.ac.uk. 86400 IN A 131.111.12.37 authdns1.csx.cam.ac.uk. 86400 IN AAAA 2001:630:212:12::d:a1 ;; Query time: 4 msec ;; SERVER: 2001:630:0:9::14#53(2001:630:0:9::14) ;; WHEN: Mon Oct 3 14:25:26 2011 ;; MSG SIZE rcvd: 601 Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Viking, North Utsire: Southerly veering southwesterly 6 to gale 8, occasionally severe gale 9 at first in northwest Viking. Moderate or rough becoming very rough or high. Rain then squally showers. Moderate or good, occasionally poor. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users