> Where am I making a mistake, please ? I think I know the problem. On the client machine, by default glibc doesn't indicate to applications that DNS records were signed via DNSSEC. This is because, how is glibc to know whether the DNS servers it's getting its records from is supposed to be considered trustworthy? It might be some DNS server set up by your ISP or something, and you might not want to place your full trust in them. I believe your server is configured correctly. However, in order for GNU/Linux clients to take advantage of DNSSEC, they typically need to run validating DNS resolvers locally that can be trusted, AND set a glibc option in /etc/resolv.conf letting glibc know that the signatures can be trusted. I'm not a DNS aficionado, so someone please correct me if I got the details wrong
Attachment:
signature.asc
Description: This is a digitally signed message part