Test DNSSEC validation
Jan-Piet Mens
jpmens.dns at gmail.com
Wed Apr 18 18:03:22 UTC 2012
> What is the best way to log DNSSEC failures in Bind without enforcing
> DNSSEC validation?
>
> That is I want to see what Bind would have rejected because of failed
> DNSSEC validation, but I do not want to return SERVFAIL to my client.
I don't think that is possible without modifying the client(s) to query
with Checking Disabled. It sounds to me as though you're looking for a
"add-cd-to-all-queries" option on a validating BIND recursor; that
doesn't exist, as far as I know.
-JP
More information about the bind-users
mailing list