dot at dotat.at
Wed Apr 11 13:48:06 UTC 2018
Bob McDonald <bmcdonaldjr at gmail.com> wrote:
> Server A
> Valid trust anchor for the root zone
> DNSSEC validation seems to work correctly
> Zone one.com. is setup as a forward zone to server B
> Server B
> authoritative and the master for one.com.
This setup will not work reliably: the target forwarding server has to be
a recursive server, since the forwarding client will expect it to do full
resolution of the query - following delegations, etc. I expect it will
have funky interactions with DNSSEC validation (e.g. chasing DS records)
but I have not experimented with this myself.
Also, you should never turn off the `dnssec-enable` setting, since that
prevents BIND from doing the right thing with RRSIG/NSEC/DS records. This
will break downstream validation even if the server is not itself
validating - that is, if you turn it off on an authoritative server, it
cannot serve any signed zones.
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Southeast Malin: Easterly 5 to 7. Slight or moderate, becoming moderate or
rough. Mainly fair. Good.
More information about the bind-users