forwarding + validating name server : protocol error or simply "unexplored fields" ?

Mark Andrews marka at
Tue Nov 9 14:33:33 UTC 2010

In message <006001cb7ffe$7a6f5b10$6f4e1130$>, "Marc Lampo" writes:
> Hello,
> Much attention has been given to DNSSEC - how it brings security - the
> "chain-of-trust" - the root zone signed - activities of tld's to get
> signed - ...
> but we - I belong to an organisation in charge of a tld - should also pay
> attention to the validating, client, side of DNSSEC.
> What I see in practice, but which might simply be "implementation" of a
> name service,
> is that a forwarding + validating name server,
> that forwards to a caching name server which is not aware of DNSSEC,
> cannot resolve anything : all responses for either signed or unsigned
> domains return SERVFAIL !

This is expected.  The forwarder MUST be dnssec aware otherwise it
will not return the correct answers to queries with DO set and
SHOULD be validating itself so that bogus results are not cached.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the bind-users mailing list