On Thu, Aug 19, 2021 at 01:11:37AM -0400, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> On Thu, Aug 19, 2021 at 02:44:44PM +1000, raf wrote: > > > I just saw Viktor's reply about mx[1-4].smtp.goog, > > and it looks like those domains are no longer signed: > > > > > host -t ds mx1.smtp.goog > > mx1.smtp.goog has no DS record > > > host -t ds mx2.smtp.goog > > mx2.smtp.goog has no DS record > > > host -t ds mx3.smtp.goog > > mx3.smtp.goog has no DS record > > > host -t ds mx4.smtp.goog > > mx4.smtp.goog has no DS record > > That's not correct, those are not zone cuts, the signed zone is > "smtp.goog". To see whether a name is signed you ask for a > DNSSEC validated response from a validating resolver: > > $ dig +dnssec +nosplit +nocl +nottl -t a mx1.smtp.goog. > > -- > Viktor. Thanks. What a silly mistake. I should have done: host -t ds smtp.goog cheers, raf
