Force Bind caching resolver to always obey DNSSSEC
lst_hoe02 at kwsoft.de
lst_hoe02 at kwsoft.de
Fri Oct 1 21:07:17 UTC 2010
Zitat von Alan Clegg <aclegg at isc.org>:
> On 10/1/2010 4:50 PM, lst_hoe02 at kwsoft.de wrote:
>
>> Sorry for being unclear. We want the SERVFAIL as it should be for
>> invalid DNSSEC data *in all cases* eg. even if a client ask with the
>> cdflag (checking disable) set.
>
> CD means "don't check", so you can't by definition.
>
> AlanC
>
That i was afraid of. It's a pitty that there is no way to save the
downstream clients from stupid resolvers/downstream caches. At least
for security relevant settings there should be a possibility to
enforce the desired behaviour and not rely on the client. With the
older Bind 9.4 as resolver the result even stay in the cache and later
querys with "cdflag" not set deliever the invalid result until expired
:-(
Andreas
More information about the bind-users
mailing list