[ldns-users] drill doesn't validate NSEC3 nxdomain?
Hugo Salgado
hsalgado at nic.cl
Tue Aug 31 19:41:00 UTC 2010
Hi.
I want to use "drill -k" to validate correctness of a nsec3
chain signature, for a nxdomain response.
If I put the .org keys in a file and then validate a DS record,
it works:
% drill -D -k ORG.KSK @a0.org.afilias-nst.info. ds ietf.org.
[ ... ]
; VALIDATED by id = 52197, owner = org.
But when I try to validate non-existence:
% drill -D -k ORG.KSK @a0.org.afilias-nst.info. ds aaaaietf.org.
[ ... ]
; Bad data; RR for name and type not found or failed to verify, and
denial of existence failed.
The same command for a NSEC zone is working:
% drill -D -k ROOT.KEY @g.root-servers.net. ds sssse.
[ ... ]
; Existence denied for sssse. DS
I'm using drill version 1.6.6 (ldns version 1.6.6).
Thanks and regards,
Hugo
More information about the ldns-users
mailing list