I have DNS set up with powerdns. It serves my DNS pretty well, and it AXFRs to other slaves. The slaves haven't yet updated to the most recent records, but that doesn't affect the validation, it would appear. Any record I can think of (AAAA, MX, TXT, even the CNAME for www) validates -- except for A records:
dig @149.20.64.20 +dnssec www.demize95.com CNAME
returns ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 7
while dig @149.20.64.20 +dnssec demize95.com A
returns ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 7
. The same happens with any other A record I have.
I set up DNSSEC with pdnssec, and it does work for all the other records, but it's never validated for my A records. What's the problem here?
Also, a side-note: I have to use ISC's DLV to create the chain of trust, since my domain registrar doesn't yet support sending the DS records to the com zone.
Update: It looks like it works now, so now I'd just like to know what the problem was. Was it just that the changes hadn't propagated everywhere yet?