https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248239
--- Comment #15 from Viktor Dukhovni <ietf-d...@dukhovni.org> --- Comment on attachment 216796 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=216796 Drill -DT The drill output you provide shows everything working correctly: >$ drill -DT www.europris.no ;; Number of trusted keys: 1 ;; Domain: . >[T] . 172800 IN DNSKEY 257 3 8 ;{id = 20326 (ksk), size = 2048b} > . 172800 IN DNSKEY 256 3 8 ;{id = 46594 (zsk), size = 2048b} Checking if > signing key is trusted: >New key: . 172800 IN DNSKEY 256 3 8 <blob> ;{id = 46594 (zsk), >size = 2048b} > Trusted key: . 172800 IN DNSKEY 257 3 8 <blob> ;{id = 20326 > (ksk), size = 2048b} > Trusted key: . 172800 IN DNSKEY 257 3 8 <blob> ;{id = 20326 > (ksk), size = 2048b} > Trusted key: . 172800 IN DNSKEY 256 3 8 <blob> ;{id = 46594 > (zsk), size = 2048b} >Key is now trusted! >[T] no. 86400 IN DS 29471 8 2 <blob> >;; Domain: no. >[T] no. 3600 IN DNSKEY 256 3 8 ;{id = 35961 (zsk), size = 1024b} > no. 3600 IN DNSKEY 257 3 8 ;{id = 29471 (ksk), size = 2048b} Checking if > signing key is trusted: >New key: no. 3600 IN DNSKEY 256 3 8 <blob> ;{id = 35961 (zsk), >size = 1024b} > Trusted key: . 172800 IN DNSKEY 257 3 8 <blob> ;{id = 20326 > (ksk), size = 2048b} > Trusted key: . 172800 IN DNSKEY 257 3 8 <blob> ;{id = 20326 > (ksk), size = 2048b} > Trusted key: . 172800 IN DNSKEY 256 3 8 <blob> ;{id = 46594 > (zsk), size = 2048b} > Trusted key: no. 3600 IN DNSKEY 256 3 8 <blob> ;{id = > 35961 (zsk), size = 1024b} >Key is now trusted! > Trusted key: no. 3600 IN DNSKEY 257 3 8 <blob> ;{id = > 29471 (ksk), size = 2048b} >[T] europris.no. 7200 IN DS 25323 15 2 <blob> >europris.no. 7200 IN DS 25323 15 4 <blob> >;; Domain: europris.no. >;; Signature ok but no chain to a trusted key or ds record >[S] europris.no. 3600 IN DNSKEY 256 3 15 ;{id = 39946 (zsk), size = 0b} > europris.no. 3600 IN DNSKEY 257 3 13 ;{id = 46820 (ksk), size = 256b} > europris.no. 3600 IN DNSKEY 257 3 15 ;{id = 25323 (ksk), size = 0b} > europris.no. 3600 IN DNSKEY 256 3 13 ;{id = 14997 (zsk), size = 256b} >;; No DS for www.europris.no. >;; No ds record for delegation The DS algorithm is not supported, so it is treated as absent, and the DNSKEY RRset is reported as self-signed[S]. >;; Domain: www.europris.no. >;; No DNSKEY record found for www.europris.no. >[U] No data found for: www.europris.no. type A >;;[S] self sig OK; [B] bogus; [T] trusted There are apparently no A records for www.europris.no, though there is a CNAME record: www.europris.no. IN CNAME m2-varnish-production-1583682531.eu-west-1.elb.amazonaws.com. www.europris.no. IN RRSIG CNAME 13 3 300 20200822020208 20200723020208 14997 europris.no. <blob> www.europris.no. IN RRSIG CNAME 15 3 300 20200822020208 20200723020208 39946 europris.no. <blob> It appears that "drill -D -T <domain>" does not report the CNAME or A records, while "drill -D" or "drill -T" alone do. I see no issue here. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"