DNSSEC validation on combined auth+recursive server

Marc Lampo marc.lampo at eurid.eu
Thu Jan 6 08:52:37 UTC 2011


> I seem to remember seeing something about DNSSEC validation not working
> when a BIND server is used both to serve the DNSSEC signed zone
> authoritatively, and as a resolver? Unfortunately, I haven't managed to
> find this information again, and now I'm wondering if it was all in my
> head.

This may not be the reference you cannot find,
but at EURid, registry for the eu top level domain,
we have an "EU Insights" available that also addresses
- bogus and validating name servers (which is your case) (pg 15 + 16)
- validating forwarding name server (pg 17 + 18)

Cfr http://www.eurid.eu/files/Insights_DNSSEC2.pdf

Basically, a bogus, yet validating name server, is not a problem.
 The name server uses its local data first, answers do not have the "AD"
bit set.

It would be a problem if a validating NS forwards towards this bogus name
 even regardless if the bogus name server is DNSSEC aware or not.

Kind regards,

Marc Lampo
Security Officer
    Woluwelaan 150    
    1831 Diegem - Belgium
    marc.lampo at eurid.eu

More information about the bind-users mailing list