Hi Ganga On Thu, Aug 24, 2017 at 09:33:32AM +0600, Ganga R. Dhungyel wrote: > With dnssec-validation turned on, resolving sites like www.icann.org > <http://www.icann.org/> fails. The alternative is to remove validation > which of course is not the desired solution.
Are you able to reproduce the bug with the latest stock version of BIND 9.9? 9.9.4 is very old and that branch has had numerous bugfixes since. I'm not able to reproduce such a validation failure with 9.9.11: [muks@jurassic bind9]$ bin/dig @127.0.0.1 -p 53000 www.icann.org ; <<>> DiG 9.9.11 <<>> @127.0.0.1 -p 53000 www.icann.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28837 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.icann.org. IN A ;; ANSWER SECTION: www.icann.org. 3497 IN CNAME www.vip.icann.org. www.vip.icann.org. 30 IN A 192.0.32.7 ;; Query time: 464 msec ;; SERVER: 127.0.0.1#53000(127.0.0.1) ;; WHEN: Wed Aug 30 18:59:51 IST 2017 ;; MSG SIZE rcvd: 80 [muks@jurassic bind9]$ Both dig and named are from BIND 9.9.11. AD bit is set indicating validation was performed. Mukund _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users