[ldns-users] Zone signed or not ?

Anand Buddhdev anandb at ripe.net
Sun Apr 18 08:42:00 UTC 2021


On 18/04/2021 10:18, François RONVAUX via ldns-users wrote:

Hi François,

> I signed my zone and published the KSK and ZSK pub keys to my registrar.
> 
> When I check the zone with a "dig +dnssec mydomain.tld", the flag "ad" is
> present and the RRSIG record is in the result.
> 
> The tool "dnssec-analyzer.verisignlabs.com" shows every check points with a
> green mark.
> 
> But when I check the zone with the tool "dnsviz.net", the zone is graded
> "INSECURE" for all type of records : SOA/TXT/MX/NS/A.
> 
> Do you have an idea where I did mistake ?

It's possible that you've signed your zone with an algorithm that dnsviz
doesn't understand. But you did not tell us how you signed your zone.
You also didn't tell us your domain name, so we can't check either. When
you ask for help about DNS issues, don't obscure your domain. Provide as
much information as possible, and people will be able to help you. Being
obscure doesn't help.

Regards,
Anand


More information about the ldns-users mailing list