Maintained by: NLnet Labs

[Unbound-users] DNSSEC and traffic encryption questions

Beeblebrox
Wed Feb 26 10:03:17 CET 2014


Could someone tell me what this output means when checking dnssec
status? Using dnscrypt-proxy as forward-zone, which in turn forwards
to dnssec enabled resolver (176.56.237.171 holland)

$ drill -TD com. SOA
Warning: No trusted keys were given. Will not be able to verify authenticity!
;; Domain: .
;; Signature ok but no chain to a trusted key or ds record
[S] . 172800 IN DNSKEY 256 3 8 ;{id = 33655 (zsk), size = 1024b}
. 172800 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), size = 2048b}
Checking if signing key is trusted:
New key: .    172800    IN    DNSKEY    256 3 8
AwEAAb8sU6pbYMWRbkRnEuEZw9NSir707TkOcF+UL1XiK4NDJOvXRyX195Am5dQ7bRnnuySZ3daf37vvjUUhuIWUAQ4stht8nJfYxVQXDYjSpGH5I6Hf/0CZEoNP6cNvrQ7AFmKkmv00xWExKQjbvnRPI4bqpMwtHVzn6WybBZ6kuqED
;{id = 33655 (zsk), size = 1024b}
[S] com. 86400 IN DS 30909 8 2
e2d3c916f6deeac73294e8268fb5885044a833fc5459588f4a9184cfc41a5766
;; Domain: com.
;; Signature ok but no chain to a trusted key or ds record
[S] com. 86400 IN DNSKEY 256 3 8 ;{id = 45932 (zsk), size = 1024b}
com. 86400 IN DNSKEY 257 3 8 ;{id = 30909 (ksk), size = 2048b}
[S] com.    900    IN    SOA    a.gtld-servers.net.
nstld.verisign-grs.com. 1393405023 1800 900 604800 86400
;;[S] self sig OK; [B] bogus; [T] trusted