> On 28 Apr 2016, at 15:19, Martin Rex <[email protected]> wrote: > > $ bin/dig/dig +sigchase +trusted-key=./root.keys tools.ietf.org. | tail -2 > ;; RRSIG is missing for continue validation: FAILED > > > and the latter failure is something that I don't understand.
tools.ietf.org is an unsigned delegation of the signed ietf.org. Now maybe tools.ietf.org should be signed. Maybe it doesn’t. But it doesn’t *have* to be signed just because its parent zone is siged. After all the root is signed and we’re some way off universal deployment of DNSSEC. Or DANE. BTW, you should be using proper DNSSEC debugging tools. The latest versions of bind ship with delv and there’s drill from NLnetLabs. Both are FAR superior to dig's ugly sigchase hack when it comes to looking at DNSSEC stuff. If you prefer GUIs, try dnsviz. > If the IETF can not get DNSSEC right, who should? They are getting it right AFAICT. _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
