Intended usage of dnssec-must-be-secure?
Evan Hunt
each at isc.org
Wed Feb 3 08:39:45 UTC 2016
On Wed, Feb 03, 2016 at 08:37:27AM +0100, Thomas Sturm wrote:
> Am I doing something wrong, or is this not the actual intended usage of
> this option?
That's not the intended usage.
dnssec-must-be-secure means what it says: the answers in this domain
*must be secure*. Everything has to be signed and validate correctly.
If it gets an unsigned answer, it is presumed to be a forgery.
> Of course, my use case is not resolving broken DNSSEC zones, but
> resolving forwarded local zones (non-existing TLD), however, above
> example should make the question more obvious.
I would suggest slaving the local zone instead of forwarding it.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list