DNSSEC and forwarding

[Duchscher, Dave J]

On Mar 30, 2022, at 4:43 PM, Tony Finch <fanf at isc.org> wrote:
> 
> > We have an internal DNS server that we would like to forward its
> > outgoing queries to a main DNS server that connects to the outside world
> > and is doing DNSSEC validation.  The problem is that the DNSSEC
> > validation doesn't work for queries from the internal DNS server.
> > Doing DNSSEC validation on the internal DNS server that is forwarding to
> > the main DNS server has been problematic with some domain failing
> > intermittently and others just not working at all. Is there a way to
> > allow the main DNS server handle DNSSEC validation?
> 
> In this situation, with multiple tiers of caches, if you want DNSSEC
> validation, you should turn it on everywhere you can.
> 
> It sounds to me like your outer server has somehow got data in its cache
> that can't be validated by the inner server (though I'm not entirely sure
> how that might happen). If they both validate then I would expect the
> problems to go away.

We are dropping this configuration and looking at doing something else. It
has come very clear after much testing with different DNS services,
unbound, and named that forwarding with named with DNSSEC validation
turned on to another named server has problems with the DNS data out in
the world. For us, this shows up with cloud based services that play fast
and loose with the DNS specifications. We have had intermittent issues
with Slack, Microsoft, and a growing list of domains. Even have one that
consistently fails. I am just posting this as a caution to others that
you may have problems with DNSSEC validation in this configuration.

--
Dave