Intended usage of dnssec-must-be-secure?

Evan Hunt each at
Wed Feb 3 16:15:15 UTC 2016

On Wed, Feb 03, 2016 at 10:02:39AM +0100, Thomas Sturm wrote:
> OK, understood. However, in the case of an unsigned private domain that 
> is forwarded, it would be insecure and not invalid, right? What's the 
> reason this does not work either, then?

It is invalid. There's a TLD claiming to be a child of the root zone
which the root zone denies having.

A couple of ways to make this work:

1) Sign your internal TLD and give all your local resolvers a copy of its
key. The key for the TLD will be used as a trust anchor; there will be no
need to validate the full chain of trust up to the root zone.

2) Have all your local resolvers slave the local TLD. When a server gives
out an authoritative answer to a query, it doesn't bother to validate it,
because when you're the authority you already *know* whether you're giving
the correct answer.

Evan Hunt -- each at
Internet Systems Consortium, Inc.

More information about the bind-users mailing list