DNSSEC and forwarding
Tony Finch
fanf at isc.org
Wed Mar 30 21:43:07 UTC 2022
Duchscher, Dave J via bind-users <bind-users at lists.isc.org> wrote:
> We have an internal DNS server that we would like to forward its
> outgoing queries to a main DNS server that connects to the outside world
> and is doing DNSSEC validation. The problem is that the DNSSEC
> validation doesn't work for queries from the internal DNS server.
> Doing DNSSEC validation on the internal DNS server that is forwarding to
> the main DNS server has been problematic with some domain failing
> intermittently and others just not working at all. Is there a way to
> allow the main DNS server handle DNSSEC validation?
In this situation, with multiple tiers of caches, if you want DNSSEC
validation, you should turn it on everywhere you can.
It sounds to me like your outer server has somehow got data in its cache
that can't be validated by the inner server (though I'm not entirely sure
how that might happen). If they both validate then I would expect the
problems to go away.
--
Tony Finch <fanf at isc.org> (he/they) Cambridge, England
Rockall, Malin, Hebrides: North or northeast 4 to 6, occasionally 7 at
first. Moderate or rough. Wintry showers. Good, occasionally poor.
More information about the bind-users
mailing list