Providing AD flag for authoritative domains
Jesus Cea
jcea at jcea.es
Thu Dec 22 13:30:43 UTC 2022
I have a validating DNSSEC bind server. I get AD (Authenticated Data)
flag when requesting details from a DNSSEC protected domain. Good.
The point is that when the requested DNS name belongs to a domain with
this server is authoritative and that domain is DNSSEC enabled, no AD
flag is provided in the answer. I guess this is because bind is replying
with DNSSEC data but it doesn't follow that DNSSEC delegation tree in
order to verify that everything is OK and so it doesn't signal safety
with the AD flag.
Is there any way to configure bind to verify DNSSEC integrity and signal
the AD flag for authoritative domains?. Views (it would lose the AA
flag, then)?
What would be the best practice for dnssec verification? To use a fully
validating local resolver? Any other choice? I am currently using a
local "bind" as a resolver and it works fine for DNSSEC verification,
except for my authoritative domains.
--
Jesús Cea Avión _/_/ _/_/_/ _/_/_/
jcea at jcea.es - https://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/
Twitter: @jcea _/_/ _/_/ _/_/_/_/_/
jabber / xmpp:jcea at jabber.org _/_/ _/_/ _/_/ _/_/ _/_/
"Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/
"My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
More information about the bind-users
mailing list