Intended usage of dnssec-must-be-secure?
each at isc.org
Wed Feb 3 16:15:15 UTC 2016
On Wed, Feb 03, 2016 at 10:02:39AM +0100, Thomas Sturm wrote:
> OK, understood. However, in the case of an unsigned private domain that
> is forwarded, it would be insecure and not invalid, right? What's the
> reason this does not work either, then?
It is invalid. There's a TLD claiming to be a child of the root zone
which the root zone denies having.
A couple of ways to make this work:
1) Sign your internal TLD and give all your local resolvers a copy of its
key. The key for the TLD will be used as a trust anchor; there will be no
need to validate the full chain of trust up to the root zone.
2) Have all your local resolvers slave the local TLD. When a server gives
out an authoritative answer to a query, it doesn't bother to validate it,
because when you're the authority you already *know* whether you're giving
the correct answer.
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users