Providing AD flag for authoritative domains

[Mark Andrews]

> On 23 Dec 2022, at 01:13, Emmanuel Fusté <manu.fuste at gmail.com> wrote:
> 
> Le 22/12/2022 à 14:30, Jesus Cea a écrit :
>> I have a validating DNSSEC bind server. I get AD (Authenticated Data) flag when requesting details from a DNSSEC protected domain. Good.
>> 
>> The point is that when the requested DNS name belongs to a domain with this server is authoritative and that domain is DNSSEC enabled, no AD flag is provided in the answer. I guess this is because bind is replying with DNSSEC data but it doesn't follow that DNSSEC delegation tree in order to verify that everything is OK and so it doesn't signal safety with the AD flag.
>> 
>> Is there any way to configure bind to verify DNSSEC integrity and signal the AD flag for authoritative domains?. Views (it would lose the AA flag, then)?
>> 
>> What would be the best practice for dnssec verification? To use a fully validating local resolver? Any other choice? I am currently using a local "bind" as a resolver and it works fine for DNSSEC verification, except for my authoritative domains.
>> 
> If you trust your server for the AD bit, you could trust it for AA bit without AD bit.
> Otherwise you should go for a local validating server. It is a policy decision.

Or you should do what was originally intended to happen and have your applications validate the data using DNSSEC.  Without a tamper proof channel between the validating recursive resolver and the client you should not trust AD.

> Emmanuel.
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org