DNSSEC validation on combined auth+recursive server
Marc Lampo
marc.lampo at eurid.eu
Thu Jan 6 08:52:37 UTC 2011
Hello,
> I seem to remember seeing something about DNSSEC validation not working
> when a BIND server is used both to serve the DNSSEC signed zone
> authoritatively, and as a resolver? Unfortunately, I haven't managed to
> find this information again, and now I'm wondering if it was all in my
> head.
This may not be the reference you cannot find,
but at EURid, registry for the eu top level domain,
we have an "EU Insights" available that also addresses
- bogus and validating name servers (which is your case) (pg 15 + 16)
- validating forwarding name server (pg 17 + 18)
Cfr http://www.eurid.eu/files/Insights_DNSSEC2.pdf
Basically, a bogus, yet validating name server, is not a problem.
The name server uses its local data first, answers do not have the "AD"
bit set.
It would be a problem if a validating NS forwards towards this bogus name
server,
even regardless if the bogus name server is DNSSEC aware or not.
Kind regards,
Marc Lampo
Security Officer
EURid
Woluwelaan 150
1831 Diegem - Belgium
marc.lampo at eurid.eu
http://www.eurid.eu
More information about the bind-users
mailing list