Providing AD flag for authoritative domains
Emmanuel Fusté
manu.fuste at gmail.com
Thu Dec 22 14:13:25 UTC 2022
Le 22/12/2022 à 14:30, Jesus Cea a écrit :
> I have a validating DNSSEC bind server. I get AD (Authenticated Data)
> flag when requesting details from a DNSSEC protected domain. Good.
>
> The point is that when the requested DNS name belongs to a domain with
> this server is authoritative and that domain is DNSSEC enabled, no AD
> flag is provided in the answer. I guess this is because bind is
> replying with DNSSEC data but it doesn't follow that DNSSEC delegation
> tree in order to verify that everything is OK and so it doesn't signal
> safety with the AD flag.
>
> Is there any way to configure bind to verify DNSSEC integrity and
> signal the AD flag for authoritative domains?. Views (it would lose
> the AA flag, then)?
>
> What would be the best practice for dnssec verification? To use a
> fully validating local resolver? Any other choice? I am currently
> using a local "bind" as a resolver and it works fine for DNSSEC
> verification, except for my authoritative domains.
>
If you trust your server for the AD bit, you could trust it for AA bit
without AD bit.
Otherwise you should go for a local validating server. It is a policy
decision.
Emmanuel.
More information about the bind-users
mailing list