Forwarded lookup failing on no valid RRSIG

[Mark Andrews]

> On 21 Dec 2020, at 06:04, Matthew Pounsett <matt at conundrum.com> wrote:
> 
> 
> 
> On Fri, 18 Dec 2020 at 18:08, Nicolas Bock <nicolas.bock at canonical.com> wrote:
> Thanks Mark. Am I correct then that I need to either convince the administrator of that DNS to enable DNSSEC or configure my DNS with `dnssec-validation = no`?
> 
> The upstream administrator isn't required to be validating DNSSEC for this to work, but in order for your DNS server to do DNSSEC validation, their DNS server must be DNSSEC aware enough to be requesting DNSSEC data when it queries the authoritative DNS servers.  Of course, the resilience of the whole thing would also be improved by that server also validating.

Matthew, there is a difference between sometimes getting answers out of a forwarder that isn’t validating that validate and a system that is working.  If the forwarder is not validating then the system cannot recover from situations that a iterative validating resolver can recover from.

It is bad advice to deploy validating clients behind forwarders that are not validating.

> If they can't or won't update their server, then yes, you'll either have to disable validation yourself, or select a better upstream.  Personally I'd go looking for a better upstream (or just stop using a forwarder entirely, and do your own direct recursion, if that's possible in your environment).

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org