Providing AD flag for authoritative domains
Ray Bellis
ray at isc.org
Thu Dec 22 14:09:00 UTC 2022
On 22/12/2022 13:30, Jesus Cea wrote:
> I have a validating DNSSEC bind server. I get AD (Authenticated Data)
> flag when requesting details from a DNSSEC protected domain. Good.
>
> The point is that when the requested DNS name belongs to a domain with
> this server is authoritative and that domain is DNSSEC enabled, no AD
> flag is provided in the answer. I guess this is because bind is replying
> with DNSSEC data but it doesn't follow that DNSSEC delegation tree in
> order to verify that everything is OK and so it doesn't signal safety
> with the AD flag.
>
> Is there any way to configure bind to verify DNSSEC integrity and signal
> the AD flag for authoritative domains?. Views (it would lose the AA
> flag, then)?
>
> What would be the best practice for dnssec verification? To use a fully
> validating local resolver? Any other choice? I am currently using a
> local "bind" as a resolver and it works fine for DNSSEC verification,
> except for my authoritative domains.
You can achieve this by using a hidden-primary and then using "mirror
zones" on the secondaries. They will return +AD, but not AA.
FWIW, adding your own auth data to a recursive server is this manner is
IMHO completely fine - it's what we do at ISC for our own internal
recursors.
On the other hand, having recursive lookups happen on a server that is a
designated authoritative server (in the NS set) is regarded as bad practise.
cheers,
Ray
More information about the bind-users
mailing list