DNSSEC support in libbind
Simon Vallet
svallet at genoscope.cns.fr
Mon Mar 5 15:17:23 UTC 2007
On 05 Mar 2007 14:46:26 +0000
Paul Vixie <Paul_Vixie at isc.org> wrote:
> Simon Vallet <svallet at genoscope.cns.fr> writes:
> > Actually, I would have expected BIND to set the AD bit on authoritative
> > replies -- this would have solved the problem simply (although
> > admittedly not very elegantly).
>
> you have to enable dnssec in your server to get that behaviour.
I did -- but the server doesn't seem to set AD on replies when it is a
master for the zones in question (see [ISC-Bugs #16677]). Our stub
resolvers here are directly querying the master for internal zones
(which is allegedly bad practice, I know), hence the problem.
> > We'll probably give a try at other resolver implementations.
>
> be sure to try the BIND9 resolver.
I most certainly will.
Simon
More information about the bind-users
mailing list