[ldns-users] Zone signed or not ?

Jaap Akkerhuis jaap at NLnetLabs.nl
Sun Apr 18 10:17:10 UTC 2021

 Anand Buddhdev via ldns-users writes:

 > On 18/04/2021 10:18, François RONVAUX via ldns-users wrote:
 > Hi François,
 > > I signed my zone and published the KSK and ZSK pub keys to my registrar.
 > > 
 > > When I check the zone with a "dig +dnssec mydomain.tld", the flag "ad" is
 > > present and the RRSIG record is in the result.
 > > 
 > > The tool "dnssec-analyzer.verisignlabs.com" shows every check points with a
 > > green mark.
 > > 
 > > But when I check the zone with the tool "dnsviz.net", the zone is graded
 > > "INSECURE" for all type of records : SOA/TXT/MX/NS/A.
 > > 
 > > Do you have an idea where I did mistake ?
 > It's possible that you've signed your zone with an algorithm that dnsviz
 > doesn't understand. But you did not tell us how you signed your zone.
 > You also didn't tell us your domain name, so we can't check either. When
 > you ask for help about DNS issues, don't obscure your domain. Provide as
 > much information as possible, and people will be able to help you. Being
 > obscure doesn't help.

What anand says, but, bseide that, dd you really hit "update now"?
That wil give you a fresh look instead of the latest from the history.


More information about the ldns-users mailing list