On Fri, Jul 16, 2010 at 18:01:20 +0100, Tony Finch wrote: > On Fri, 16 Jul 2010, Iljitsch van Beijnum wrote: > > > > Too bad it doesn't work for me. > > BIND's trust anchors are in DNSKEY format, but IANA publishes the root key > in DS format. You can fetch the root DNSKEY using dig, convert it into > a DS using BIND's dnssec-dsfromkey program and compare the result to the > published trust anchor to verify that you have the right DNSKEY before > adding it to BIND's configuration. There is a longer explanation of the > process at http://fanf.livejournal.com/107310.html Thanks! That was very useful. I finally got it working. I would also like to check the output for a zone that is verifyable not correct. Any examples of signed RRs with an incorrect signature? rvdp _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf