[Dnssec-trigger] Dnssec Problem

Thomas Dupas thomas at dupas.be
Sun Jun 10 20:15:56 UTC 2012

Hi Bob,

as a starter, slashdot.org<http://slashdot.org> is not dnssec-signed, hence it also can't be dnssec-validated / have an authoritative data flag on the query.
Try a dig towards www.nlnetlabs.nl<http://www.nlnetlabs.nl>.

I can't comment on the dnssec-trigger-control-setup output, but I'm pretty certain that dnssec validation is enabled


Thomas Dupas

On 10 Jun 2012, at 22:04, Bob Katz wrote:


I have just installed dnssec–trigger on my mac 10.7.4. The problem is after running the command dnssec–trigger–control–setup I don't know if dnssec is enabled. After I run the dig command I do not get the ad flag and one dnssec test website states no dnssec. However another test website states the dnssec is enabled.  I have included in this email a terminal output and a probe result. What am I missing ?


bash-3.2$ sudo dnssec-trigger-control-setup
setup in directory /etc/dnssec-trigger
dnssec_trigger_server.key exists
dnssec_trigger_control.key exists
create dnssec_trigger_server.pem (self signed certificate)
create dnssec_trigger_control.pem (signed client certificate)
Signature ok
Getting CA Private Key
Setup success. Certificates created.

run this script again with -i to:
- enable remote-control in unbound.conf
- start unbound-control-setup
- add root trust anchor to unbound.conf
if you have not done this already
bash-3.2$ sudo dnssec-trigger-control-setup -i
setup in directory /etc/dnssec-trigger
unbound-checkconf: no errors in /etc/unbound/unbound.conf
checking if unbound-control needs to be enabled
checking if root trust anchor needs to be enabled
check for search path in resolv.conf and edit /etc/dnssec-trigger/dnssec-trigger.conf
check for domain in resolv.conf and edit /etc/dnssec-trigger/dnssec-trigger.conf
bash-3.2$ sudo dig www.slashdot.org<http://www.slashdot.org/> @<>

; <<>> DiG 9.7.3-P3 <<>> www.slashdot.org<http://www.slashdot.org/> @<>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27876
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0

;www.slashdot.org<http://www.slashdot.org/>. IN A

www.slashdot.org<http://www.slashdot.org/>. 1546 IN A

slashdot.org<http://slashdot.org/>. 84346 IN NS ns4.p03.dynect.net<http://ns4.p03.dynect.net/>.
slashdot.org<http://slashdot.org/>. 84346 IN NS ns3.p03.dynect.net<http://ns3.p03.dynect.net/>.
slashdot.org<http://slashdot.org/>. 84346 IN NS ns2.p03.dynect.net<http://ns2.p03.dynect.net/>.
slashdot.org<http://slashdot.org/>. 84346 IN NS ns1.p03.dynect.net<http://ns1.p03.dynect.net/>.

;; Query time: 9 msec
;; WHEN: Sun Jun 10 15:59:11 2012
;; MSG SIZE  rcvd: 136

<Screen Shot 2012-06-10 at 3.56.42 PM.png>_______________________________________________
dnssec-trigger mailing list
dnssec-trigger at NLnetLabs.nl<mailto:dnssec-trigger at NLnetLabs.nl>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20120610/94394274/attachment.htm>

More information about the dnssec-trigger mailing list