They don't give us NSEC records for missing DS records,
e.g:
| weasel@saens:~$ dig @128.101.101.101 debian.com -t ds +dnssec
|
| ; <<>> DiG 9.7.3 <<>> @128.101.101.101 debian.com -t ds +dnssec
| ; (1 server found)
| ;; global options: +cmd
| ;; Got answer:
| ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13955
| ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
|
| ;; OPT PSEUDOSECTION:
| ; EDNS: version: 0, flags: do; udp: 4096
| ;; QUESTION SECTION:
| ;debian.com. IN DS
|
| ;; AUTHORITY SECTION:
| com. 527 IN SOA a.gtld-servers.net. nstld.verisign-grs.com.
1301844372 1800 900 604800 86400
| com. 527 IN RRSIG SOA 8 1 900
20110410152612 20110403141612 1793 com. JFEZa5Kb5xJyibTSX4YySdz8fY53Vftd1VswlmEMJSkMyUIqq2zYWJm6 zvpK1y4RjE9Abv7vo5X8GcMuOg4TO31Pf6rAdloqYvcqZyFtu7DBoxYF A1lpz0w5Ru9stynHe4sNTk2xnbODzbZlW5DmUpPV4b1MjbxLgXkCyuLs H6o=
|
| ;; Query time: 1 msec
| ;; SERVER: 128.101.101.101#53(128.101.101.101)
| ;; WHEN: Sun Apr 3 15:32:58 2011
| ;; MSG SIZE rcvd: 275
(no NSEC3 records)
umn:
netrange:
- 128.101.240.212
+ nameservers_break_dnssec: true
nameservers: [128.101.101.101, 134.84.84.84]
utwente:
netrange:
projects / mirror / dsa-puppet.git / commitdiff