Forwarded lookup failing on no valid RRSIG

Matthew Pounsett matt at
Sun Dec 20 19:04:40 UTC 2020

On Fri, 18 Dec 2020 at 18:08, Nicolas Bock <nicolas.bock at>

> Thanks Mark. Am I correct then that I need to either convince the
> administrator of that DNS to enable DNSSEC or configure my DNS with
> `dnssec-validation = no`?

The upstream administrator isn't required to be validating DNSSEC for this
to work, but in order for your DNS server to do DNSSEC validation, their
DNS server must be DNSSEC aware enough to be requesting DNSSEC data when it
queries the authoritative DNS servers.  Of course, the resilience of the
whole thing would also be improved by that server also validating.

If they can't or won't update their server, then yes, you'll either have to
disable validation yourself, or select a better upstream.  Personally I'd
go looking for a better upstream (or just stop using a forwarder entirely,
and do your own direct recursion, if that's possible in your environment).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list