On 12-07-20 10:42 AM, Mark Andrews wrote: > > The NS RRset is the delegation records and as such has no RRSIGs. > If you turn on minimal-responses the NS rrset won't be added and > AD won't be cleared. AD is only set to 1 if all the records in the > answer and authority sections are marked as secure.
OK. So I added:
minimal-responses yes;
and the dig response does indeed look much more "minimal", but the
ad bit is still not being set:
# dig +dnssec @localhost 119.in-addr.arpa SOA
; <<>> DiG 9.9.1-P1 <<>> +dnssec @localhost 119.in-addr.arpa SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45253
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;119.in-addr.arpa. IN SOA
;; ANSWER SECTION:
119.in-addr.arpa. 172800 IN SOA ns1.apnic.net.
read-txt-record-of-zone-first-dns-admin.apnic.net. 3006082431 7200 1800 604800
172800
119.in-addr.arpa. 172800 IN RRSIG SOA 5 3 172800 20120819055026
20120720045026 31291 119.in-addr.arpa.
DxSB8J+SsHzLRv/qiFdQOLQ4eYEgCm6lUGr5/qoMje7iY9OIaaXmH/WM
GwbTDdT7YNXfkZ7ZfpEnE5N9OeNW6Wghi8Wcerpy3OmEYMTWc1ZNgH70
KC8Rhth23mCkv+IdCEsirVKdgTgLYsRlPFMbp6WQveMQRyJwvGJQm4QI Ejk=
;; Query time: 720 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jul 20 10:50:21 2012
;; MSG SIZE rcvd: 310
Strangely I didn't get an error logged about there being no valid
signature for 119.in-addr.arpa SOA though.
Cheers,
b.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
