DNSSEC support in libbind

Simon Vallet svallet at genoscope.cns.fr
Mon Mar 5 15:17:23 UTC 2007

On 05 Mar 2007 14:46:26 +0000
Paul Vixie <Paul_Vixie at isc.org> wrote:

> Simon Vallet <svallet at genoscope.cns.fr> writes:

> > Actually, I would have expected BIND to set the AD bit on authoritative
> > replies -- this would have solved the problem simply (although
> > admittedly not very elegantly).
> you have to enable dnssec in your server to get that behaviour.

I did -- but the server doesn't seem to set AD on replies when it is a
master for the zones in question (see [ISC-Bugs #16677]). Our stub
resolvers here are directly querying the master for internal zones
(which is allegedly bad practice, I know), hence the problem.

> > We'll probably give a try at other resolver implementations.
> be sure to try the BIND9 resolver.

I most certainly will.


More information about the bind-users mailing list