On Tue, Apr 12, 2022 at 09:37:22PM -0400, J Doe wrote:
> Apologies for my late reply. Thank you so much for the detailed
> explanation of: dnssec-validation auto and what happens when: bind.keys
> doesn't exist.
>
> With this setting in place in my: named.conf I then restarted BIND, gave
> it a second to pull the trust information and then used: delv to test
> verification.
>
> The first test for unverified/unsigned was:
>
> $ delv google.com
> ; unsigned answer
> . . .
>
> ... and the second test for verified/signed was:
>
> $ delv ietf.org
> ; fully validated
> . . .
>
> ... which wouldn't have worked if: dnssec-validation auto failed in
> getting the same information as: bind.keys
"delv" isn't actually the right tool for this job - it does its own
internal validation, regardless of whether the name server it's querying
is doing validation correctly or not.
Instead, use "dig" to query your name server and look for the "ad" bit
(Authenticated Data) in the reponse:
$ dig @localhost unsigned.com | grep flags
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
$ dig @localhost ietf.org | grep flags
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
^^
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
