Hello, Is your recursive resolver also authoritative for raindrop.us? If so, you will not get the "ad" flag. You can test with DNS-OARC resolver [1]:
# dig +dnssec +multiline @149.20.64.20 raindrop.us ; <<>> DiG 9.7.3 <<>> +dnssec +multiline @149.20.64.20 raindrop.us ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28120 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;raindrop.us. IN A ;; ANSWER SECTION: raindrop.us. 3600 IN A 199.26.172.34 raindrop.us. 3600 IN RRSIG A 5 2 3600 20120512011136 ( 20120412010327 41190 raindrop.us. kH5rKfIHghbsiKLTMkO6GjDtXI0Afkgl2x74K0o0AKtD lTDfsk+2pPZ/XwKj1k2jIYButqXximUjHOHQHK1bSru7 V8DkkN7JF/wozTOiGCs777sOs90jKmaHIIMSTbNcQgtD ySqzPsd4Sn9Qp86Iykj0nvXyUeMib2bzPJ5SVBY= ) ;; Query time: 787 msec ;; SERVER: 149.20.64.20#53(149.20.64.20) ;; WHEN: Wed Apr 18 14:39:45 2012 ;; MSG SIZE rcvd: 227 It's working fine. [1] - https://www.dns-oarc.net/oarc/services/odvr Best regards, --------------------------------- Carlos Eduardo Ribas 2012/4/18 Alan Batie <a...@peak.org> > I'm testing out dnssec with bind 9.9.0's auto signing and a test domain; > this appears to be working (see below, RRSIG records returned from the > actual nameserver), however and attempt to validate fails with: > > # dig +dnssec +sigchase soa raindrop.us > ;; RRset to chase: > raindrop.us. 987 IN SOA ns1.raindrop.us. > hostmaster.rdrop.com. > 2012030815 3600 3600 86400 3600 > > > > Launch a query to find a RRset of type RRSIG for zone: raindrop.us. > > ;; RRSIG is missing for continue validation: FAILED > > > I have this included in the resolver's named.conf: > > managed-keys { > "." initial-key 257 3 8 > "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF > FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX > bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD > X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz > W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS > Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= "; > }; > > per https://calomel.org/dns_bind.html > > When I simply try to validate the root: > > # dig +dnssec +sigchase . > ;; NO ANSWERS: no more > We want to prove the non-existence of a type of rdata 1 or of the zone: > there is no NSEC for this zone: validating that the zone doesn't exist > > ;; Impossible to verify the Non-existence, the NSEC RRset can't be > validated: FAILED > > I'm not sure what to look for now... > > > > # dig +dnssec @ns6.peak.org raindrop.us > > ; <<>> DiG 9.9.0 <<>> +dnssec @ns6.peak.org raindrop.us > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15953 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;raindrop.us. IN A > > ;; ANSWER SECTION: > raindrop.us. 3600 IN A 199.26.172.34 > raindrop.us. 3600 IN RRSIG A 5 2 3600 20120512011136 > 20120412010327 > 41190 raindrop.us. > kH5rKfIHghbsiKLTMkO6GjDtXI0Afkgl2x74K0o0AKtDlTDfsk+2pPZ/ > XwKj1k2jIYButqXximUjHOHQHK1bSru7V8DkkN7JF/wozTOiGCs777sO > s90jKmaHIIMSTbNcQgtDySqzPsd4Sn9Qp86Iykj0nvXyUeMib2bzPJ5S VBY= > > ;; AUTHORITY SECTION: > raindrop.us. 3600 IN NS ns1.raindrop.us. > raindrop.us. 3600 IN RRSIG NS 5 2 3600 > 20120512011136 20120412010327 > 41190 raindrop.us. > UQxIRpKV+b4opfCJx/j4oIFht8nqxpn1g0siOLI2XkxfVrnXHh17/ChT > X6PH5YOrF7D3v7AUMbVo+o8glSUfk1uML8i3C8H5lD/NmujPPrIqFaO/ > 6zCJen1q34FVunCoqfrYvYlaKHenFGsrpOl61H75ns0IjLMXSs+TRpIY GTs= > > ;; ADDITIONAL SECTION: > ns1.raindrop.us. 3600 IN AAAA 2607:f678::56 > ns1.raindrop.us. 3600 IN RRSIG AAAA 5 3 3600 > 20120512011136 > 20120412010327 41190 raindrop.us. > MhaOIt7D7kT8k4USk9Mpocw+tSx8WBSO/Yi+4F/YFV1ZVSXLKgYj4K4S > hTjVTBD3tCQYMJY+SkArlkoQRyTk4QYrLV8CP2TvvdrUPjZUZNAEMsuk > 0NWsd2tLgStZ34yN0Pe1xa9P2SZjvsXJj1D1N5JNFxfS/OFCwMa9Hvcr atM= > > ;; Query time: 253 msec > ;; SERVER: 2607:f678:10::53#53(2607:f678:10::53) > ;; WHEN: Tue Apr 17 23:29:08 2012 > ;; MSG SIZE rcvd: 615 > > > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users