Force Bind caching resolver to always obey DNSSSEC

lst_hoe02 at kwsoft.de lst_hoe02 at kwsoft.de
Fri Oct 1 20:26:46 UTC 2010


Hello

after the root zones are now DNSSEC signed we like to use DNSSEC at  
our caching resolvers. I have setup Bind 9.7.0-P1-1 at the border and  
basically it is working fine. What i have not managed is to alwawys  
force obeying DNSSEC signed zones for resolving eg. if i use "dig  
+cdflag www.rhybar.cz" the caching resolver ignores the invalid signed  
result set and delivers the A record. If i don't use the "+cdflag" the  
result is SERVFAIL (no result).

We have set the following:

dnssec-enable yes;
dnssec-validation yes;

managed-keys { ... };    for the root zone

Are there any settings to never return a result for invalid signed  
result sets?

Many Thanks

Andreas






More information about the bind-users mailing list