Intended usage of dnssec-must-be-secure?
lists+bind-users at nerdli.ch
Wed Feb 3 07:37:27 UTC 2016
According to the documentation of the option 'dnssec-must-be-secure',
which reads like
"Specify hierarchies which must be or may not be secure (signed
and validated). If yes, then named will only accept answers if
they are secure. If no, then normal DNSSEC validation applies
allowing for insecure answers to be accepted. The specified domain
must be under a trusted-keys or managed-keys statement, or dnssec-
lookaside must be active."
I understand that I should be able to resolve dnssec-failed.org
successfully with a config like:
. initial-key 257 3 8 [current root key];
dnssec-must-be-secure dnssec-failed.org no;
I have a managed-keys statement and dnssec-validation is set to "yes",
and not "auto" (which might be a problem as I read elsewhere). However,
this doesn't work.
02-Feb-2016 17:29:47.036 broken trust chain resolving
Am I doing something wrong, or is this not the actual intended usage of
Of course, my use case is not resolving broken DNSSEC zones, but
resolving forwarded local zones (non-existing TLD), however, above
example should make the question more obvious.
Thanks for any input.
More information about the bind-users