Stub zones, but secndary?
Peter
pmc at citylink.dinoex.sub.org
Mon Nov 20 13:19:59 UTC 2023
On Mon, Nov 20, 2023 at 03:30:13PM +1300, Nick Tait via bind-users wrote:
! On 20/11/2023 1:00 pm, Peter wrote:
! > It's tricky. One problem is these are slave zones, they are
! > authoritative and do not work well with DNSSEC.
!
! I'm curious... What issues did you have with these zones and DNSSEC? I would
! have expected that the signed zones should just work?
Probably they do just work. But then, when I query a
nonexistent domain from a simple root-slave, the answer
carries an AA flag. When I query the same nonexistent
domain from 8.8.8.8, it carries an AD flag.
Also, somewhere in the depths of the ISC docs and tutorials
I found a paper that shows how to setup the root-slave for
DNSSEC so that it does recurse and validate (and that is
from where I started to adapt my config). So likely there is
an issue somewhere.
cheerio,
PMc
More information about the bind-users
mailing list