On 13/02/12 12:28, dE . wrote:
On 02/13/12 11:00, Spain, Dr. Jeffry A. wrote:
Using this DNS server, I'm still not getting the DNSKEY for any
DNSSEC capable domain; infact this server has issues -
dig +dnssec -t A dnssec.net @bind.odvr.dns-oarc.net.
I'd be really happy if I could get some domains which are signed.
Try this one: dig @bind.odvr.dns-oarc.net. isc.org +dnssec
You should get an AD flag returned and a variety of RRSIG records. Jeff.
I hope I'm not missing any concepts here, but there should be a public
key to verify the RRSIG, where's that? Shouldn't the server return
additional DNSKEY records?
No.
The RRSIG records are signatures of the name you did the query for, so
are included in the same response.
The DNSKEY records are common to thousands of signatures, and it would
therefore be a waste of bandwidth to include them in every response.
They are separate records, which have to be fetched separately.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
