[ldns-users] drill doesn't validate NSEC3 nxdomain?

Hugo Salgado hsalgado at nic.cl
Tue Aug 31 19:41:00 UTC 2010

I want to use "drill -k" to validate correctness of a nsec3
chain signature, for a nxdomain response.

If I put the .org keys in a file and then validate a DS record,
it works:

 % drill -D -k ORG.KSK @a0.org.afilias-nst.info. ds ietf.org.
 [ ... ]
 ; VALIDATED by id = 52197, owner = org.

But when I try to validate non-existence:
 % drill -D -k ORG.KSK @a0.org.afilias-nst.info. ds aaaaietf.org.
 [ ... ]
 ; Bad data; RR for name and type not found or failed to verify, and
denial of existence failed.

The same command for a NSEC zone is working:
 % drill -D -k ROOT.KEY @g.root-servers.net. ds sssse.
 [ ... ]
 ; Existence denied for sssse.	DS

I'm using drill version 1.6.6 (ldns version 1.6.6).

Thanks and regards,


More information about the ldns-users mailing list