[nSLUG] DNSSEC configuration
George N. White III
gnwiii at gmail.com
Tue Dec 16 14:53:25 AST 2014
On Tue, Dec 16, 2014 at 12:48 PM, D G Teed <donald.teed at gmail.com> wrote:
> I'm looking into DNSSEC now that CIRA supports it. I thought I had
> the client look-ups supporting this, but now I see the dig results don't
> jive with that. Tried the usual set up at home on Debian like so:
> And this test goes through without failing:
> dig badsign-a.test.dnssec-tools.org +dnssec
> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> badsign-a.test.dnssec-tools.org
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32924
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;badsign-a.test.dnssec-tools.org. IN A
> ;; ANSWER SECTION:
> badsign-a.test.dnssec-tools.org. 86379 IN A 220.127.116.11
> badsign-a.test.dnssec-tools.org. 86379 IN RRSIG A 5 4 86400
> 20150109054254 20141210044254 19442 test.dnssec-tools.org.
> LQJLtukkBY33YePiJ5w2trmgfbEpfuAvxahRladYmu4MqRwKVFlk9MDF rJ4=
> ;; Query time: 0 msec
> ;; SERVER: 192.168.0.3#53(192.168.0.3)
> ;; WHEN: Tue Dec 16 11:40:51 2014
> ;; MSG SIZE rcvd: 257
> This second test is supposed to fail according to dnssec-tools.org
> troubleshooting guide.
The "dig" manual just says that "+dnssec" requests that DNSSEC records be
maybe you need to enable signature chain chasing (compile with
Is the documentation I'm finding out of date or have I missed a piece?
It has the scent of something very simple being missed.
dnssec-tools.or <http://dnssec-tools.org>g says my DNS is insecure and
the tutorials link gives
(Can't contact the database server: Unknown MySQL server host '
sidekick.rdi.tislabs.com' (2) (sidekick.rdi.tislabs.com)).
George N. White III <aa056 at chebucto.ns.ca>
Head of St. Margarets Bay, Nova Scotia
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nSLUG