Force Bind caching resolver to always obey DNSSSEC
lst_hoe02 at kwsoft.de
lst_hoe02 at kwsoft.de
Fri Oct 1 20:50:00 UTC 2010
Zitat von Alan Clegg <aclegg at isc.org>:
> On 10/1/2010 4:26 PM, lst_hoe02 at kwsoft.de wrote:
>> Hello
>>
>> after the root zones are now DNSSEC signed we like to use DNSSEC at our
>> caching resolvers. I have setup Bind 9.7.0-P1-1 at the border and
>> basically it is working fine. What i have not managed is to alwawys
>> force obeying DNSSEC signed zones for resolving eg. if i use "dig
>> +cdflag www.rhybar.cz" the caching resolver ignores the invalid signed
>> result set and delivers the A record. If i don't use the "+cdflag" the
>> result is SERVFAIL (no result).
>
> [..]
>
>> Are there any settings to never return a result for invalid signed
>> result sets?
>
> SERVFAIL is what is the correct response when data is invalid. I'm not
> sure what you actually want... If you "never return a result", the user
> on the other end will continue to attempt to resolve the (bad) zone.
Sorry for being unclear. We want the SERVFAIL as it should be for
invalid DNSSEC data *in all cases* eg. even if a client ask with the
cdflag (checking disable) set.
Many Thanks
Andreas
More information about the bind-users
mailing list