Intended usage of dnssec-must-be-secure?

Thomas Sturm lists+bind-users at
Wed Feb 3 09:02:39 UTC 2016

On 03.02.2016 09:36, Mark Andrews wrote:
> No.  Insecure != invalid.  Insecure zones don't have a DNSSEC chain
> of trust to a configured trust anchor.

OK, understood. However, in the case of an unsigned private domain that 
is forwarded, it would be insecure and not invalid, right? What's the 
reason this does not work either, then?

More information about the bind-users mailing list