[DNSSEC] Validating resolver which is also authoritative: no AD bit set
Alan Clegg
Alan_Clegg at isc.org
Fri Jan 23 13:56:29 UTC 2009
Stephane Bortzmeyer wrote:
> I configure a BIND 9.5.0 P2 which is both a DNSSEC-validating resolver
> and an authoritative server.
>
> With proper trust anchors, it DNSSEC-validates domains like iis.se or
> sources.org and sets the AD bit in the answers to 'dig +dnssec XXX
> iis.se'.
>
> Except for one domain, generic-nic.net, for which this BIND is
> authoritative: here, I get the right answer but without the AD bit.
>
> If I delete this domain from the list of zones served by this BIND, I
> get the AD bit again.
>
> Is it normal? Should the client be happy with just the AA bit?
Authoritative servers will never set the AD bit for their own zones. To
get "correctly set bits", you must go through a validating recursive server.
Consider this conversation:
"Is your name Alan?"
"Yes, it is, and I will guarantee that it is because I say it is"
For this reason (if for no other), I strongly recommend that the roles
of authoritative and recursive servers be split.
AlanC
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090123/a53335cc/attachment.bin>
More information about the bind-users
mailing list