DNSSEC Question

[Tony Finch]

Bob McDonald <bmcdonaldjr at gmail.com> wrote:
>
> Server A
> DNSSEC=yes
> DNSSEC-validation=yes
> Valid trust anchor for the root zone
> DNSSEC validation seems to work correctly
> Zone one.com. is setup as a forward zone to server B
>
> Server B
> DNSSEC=no
> DNSSEC-validation=N/A
> authoritative and the master for one.com.

This setup will not work reliably: the target forwarding server has to be
a recursive server, since the forwarding client will expect it to do full
resolution of the query - following delegations, etc. I expect it will
have funky interactions with DNSSEC validation (e.g. chasing DS records)
but I have not experimented with this myself.

Also, you should never turn off the `dnssec-enable` setting, since that
prevents BIND from doing the right thing with RRSIG/NSEC/DS records. This
will break downstream validation even if the server is not itself
validating - that is, if you turn it off on an authoritative server, it
cannot serve any signed zones.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Southeast Malin: Easterly 5 to 7. Slight or moderate, becoming moderate or
rough. Mainly fair. Good.