Am Donnerstag, 15. Januar 2015, 13:46:39 schrieb Frank Fiene:
The „da" flag is missing!?
"ad"
Am 15.01.2015 um 13:06 schrieb Patrick Ben Koetter p@sys4.de:
dig +dnssec dane.sys4.de http://dane.sys4.de/
root@mail:/home/ffiene# dig +dnssec dane.sys4.de +m
; <<>> DiG 9.9.5-3-Ubuntu <<>> +dnssec dane.sys4.de +m ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53974 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 5
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dane.sys4.de. IN A
;; ANSWER SECTION:
(...)
Your resolver gets all the dnssec relevant RR of the domain, but does not check if the RRSIG are really correct. Please check the same with a dnssec enabled resolver. 8.8.8.8 for instance does check the signatures.
dig @8.8.8.8 +dnssec sys4.de
you will see, that the "ad" flag ist present in the answer.
Next step: Install a dnssec aware resolver.
Mit freundlichen Grüßen,
Michael Schwartzkopff