On Wed, 2017-03-08 at 12:09 +0000, Michael Tremer wrote:
Hmm...
That's interesting that only AAAA records fail. No idea why the system is resolving those any ways, but hey...
So when you do
dig @198.41.0.4 a.root-servers.net AAAA +dnssec
does that work?
What does
dig @8.8.8.8 +sigchase +dnssec www.ipfire.org
do?
-Michael
---->% massive snippage here %<----
Sorry for the delay. I have to chase everyone off the network and reboot with another disk (development image) to test, then have to reboot with Core105 and DNSSEC disabled to resume email :).
Here are the results:
# dig @198.41.0.4 a.root-servers.net AAAA +dnssec
; <<>> DiG 9.11.0-P3 <<>> @198.41.0.4 a.root-servers.net AAAA +dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65258 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: Message has 23 extra bytes at end
;; QUESTION SECTION: ;a.root-servers.net. IN AAAA
;; Query time: 1 msec ;; SERVER: 198.41.0.4#53(198.41.0.4) ;; WHEN: Wed Mar 08 09:56:11 CST 2017 ;; MSG SIZE rcvd: 59
# dig @8.8.8.8 +sigchase +dnssec www.ipfire.org ;; Warning: Message parser reports malformed message packet. ;; NO ANSWERS: no more We want to prove the non-existence of a type of rdata 1 or of the zone: ;; nothing in authority section : impossible to validate the non-existence : FAILED
;; Impossible to verify the Non-existence, the NSEC RRset can't be validated: FAILED
Thank you, Paul