[ldns-users] drill question

Paul Wouters paul at xelerance.com
Fri Jul 3 21:24:47 UTC 2009


On Fri, 3 Jul 2009, bert hubert wrote:

> Please forgive this DNSSEC 'noob' :-) Also, many thanks for writing 'drill',
> it is one of the only tools I've found to validate DNSSEC signatures from
> the command line.

see also unbound-host

> However, all is not well. Can you tell me what is wrong with the following:
>
> $ drill -D dnssec.se dnskey  @secondary.se | grep DNSKEY | grep "12066 (zsk" > dnskey.dnssec.se
> $ drill -k ./dnskey.dnssec.se -D dnssec.se @secondary.se

Are you sure you meant using the ZSK and not the KSK? Using this configuration,
the ZSK is not signed by anything drill was told to trust. And the ZSK does not
have the SEP bit set so I assume drill will not use it as a trust anchor.

That said, even if I use their proper key, drill does not seem to work for me either.

Paul



More information about the ldns-users mailing list