<div dir="ltr"><sigh> I should have pointed out that BOTH servers have recursion turned on.<div><br></div><div>Yeah, I know about having DNSSEC-enable=yes to not break downstream validation. (I inherited this setup...)</div><div><br></div><div>BOTH are internal DNS servers with access to the internet to query the internet roots (no default forwarding active).</div><div><br></div><div>I suspect it's the issue of having the DNSSEC-enable set to off on server B even though it's not validating. (But that's just a guess...)</div><div><br></div><div>Thanks,</div><div><br></div><div>Bob</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Apr 11, 2018 at 9:48 AM, Tony Finch <span dir="ltr"><<a href="mailto:dot@dotat.at" target="_blank">dot@dotat.at</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">Bob McDonald <<a href="mailto:bmcdonaldjr@gmail.com">bmcdonaldjr@gmail.com</a>> wrote:<br>
><br>
> Server A<br>
> DNSSEC=yes<br>
> DNSSEC-validation=yes<br>
> Valid trust anchor for the root zone<br>
> DNSSEC validation seems to work correctly<br>
> Zone <a href="http://one.com" rel="noreferrer" target="_blank">one.com</a>. is setup as a forward zone to server B<br>
><br>
> Server B<br>
> DNSSEC=no<br>
> DNSSEC-validation=N/A<br>
> authoritative and the master for <a href="http://one.com" rel="noreferrer" target="_blank">one.com</a>.<br>
<br>
</span>This setup will not work reliably: the target forwarding server has to be<br>
a recursive server, since the forwarding client will expect it to do full<br>
resolution of the query - following delegations, etc. I expect it will<br>
have funky interactions with DNSSEC validation (e.g. chasing DS records)<br>
but I have not experimented with this myself.<br>
<br>
Also, you should never turn off the `dnssec-enable` setting, since that<br>
prevents BIND from doing the right thing with RRSIG/NSEC/DS records. This<br>
will break downstream validation even if the server is not itself<br>
validating - that is, if you turn it off on an authoritative server, it<br>
cannot serve any signed zones.<br>
<span class="HOEnZb"><font color="#888888"><br>
Tony.<br>
--<br>
f.anthony.n.finch <<a href="mailto:dot@dotat.at">dot@dotat.at</a>> <a href="http://dotat.at/" rel="noreferrer" target="_blank">http://dotat.at/</a><br>
Southeast Malin: Easterly 5 to 7. Slight or moderate, becoming moderate or<br>
rough. Mainly fair. Good.<br>
</font></span></blockquote></div><br></div>