Force Bind caching resolver to always obey DNSSSEC

Alan Clegg aclegg at isc.org
Fri Oct 1 20:36:08 UTC 2010


On 10/1/2010 4:26 PM, lst_hoe02 at kwsoft.de wrote:
> Hello
> 
> after the root zones are now DNSSEC signed we like to use DNSSEC at our
> caching resolvers. I have setup Bind 9.7.0-P1-1 at the border and
> basically it is working fine. What i have not managed is to alwawys
> force obeying DNSSEC signed zones for resolving eg. if i use "dig
> +cdflag www.rhybar.cz" the caching resolver ignores the invalid signed
> result set and delivers the A record. If i don't use the "+cdflag" the
> result is SERVFAIL (no result).

[..]

> Are there any settings to never return a result for invalid signed
> result sets?

SERVFAIL is what is the correct response when data is invalid.  I'm not
sure what you actually want...  If you "never return a result", the user
on the other end will continue to attempt to resolve the (bad) zone.

AlanC

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20101001/0df2eda6/attachment.bin>


More information about the bind-users mailing list