Intended usage of dnssec-must-be-secure?

Evan Hunt each at
Wed Feb 3 08:39:45 UTC 2016

On Wed, Feb 03, 2016 at 08:37:27AM +0100, Thomas Sturm wrote:
> Am I doing something wrong, or is this not the actual intended usage of 
> this option?

That's not the intended usage.

dnssec-must-be-secure means what it says: the answers in this domain
*must be secure*.  Everything has to be signed and validate correctly.
If it gets an unsigned answer, it is presumed to be a forgery.

> Of course, my use case is not resolving broken DNSSEC zones, but 
> resolving forwarded local zones (non-existing TLD), however, above 
> example should make the question more obvious.

I would suggest slaving the local zone instead of forwarding it.

Evan Hunt -- each at
Internet Systems Consortium, Inc.

More information about the bind-users mailing list