Validating a DNSSEC installation

Chris Thompson cet1 at
Tue Jun 16 11:08:01 UTC 2009

On Jun 15 2009, Chris Buxton wrote:

>On Jun 13, 2009, at 4:59 AM, Erik Lotspeich wrote:
>> Is it normal that a validating resolver can't validate a domain it is
>> authoritative for?
>Absolutely. As Alan Clegg wrote not long ago on this list,

You presumably refer to

which I *suppose* counts as "not long ago" ... :-)

>                                                           this is why  
>a DNSSEC validating resolver should not be authoritative for any  
>signed zones.

This seems too strong to me, There are lots of good reasons why one may
want a resolver to stealth slave local (possibly signed) zones, and thus
be "authoritative" for them. However, it is certainly the case that because
no other validation is performed on these zones, they should be fetched
by secure means, e.g. TSIG-signed transfers from trusted master servers.

Chris Thompson
Email: cet1 at

More information about the bind-users mailing list