DNSSEC validation on combined auth+recursive server

Alan Clegg aclegg at isc.org
Thu Jan 6 13:19:38 UTC 2011

On 1/6/2011 3:38 AM, Eivind Olsen wrote:

> I seem to remember seeing something about DNSSEC validation not working
> when a BIND server is used both to serve the DNSSEC signed zone
> authoritatively, and as a resolver? Unfortunately, I haven't managed to
> find this information again, and now I'm wondering if it was all in my
> head.

The problem you run into is that recursive servers are the ones that do
validation (returning the AD bit) while authoritative servers return the
AA bit (mutually exclusive with the AD bit).

Mixing the functions causes your server to return AD bits for things
that it is not authoritative for (and can validate) and AA for things
that it is authoritative for (even if validatable), causing clients that
care about such things a bit of heartburn.

As Mark has said, "match-recursive" can be used to persuade your server
to respond with the appropriate header bits if your clients actually care.

> (Yes, I know it's best practice to combine the authoritative + recursive
> functionality)

[...] it's NOT best [...]


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110106/986024b6/attachment.bin>

More information about the bind-users mailing list