Erik Lotspeich wrote: > I now get the AD flag when querying external validating resolvers such > as the ones you mention.
That's good. May your signatures never expire and your keys always be valid. > I believe that my BIND is configured properly to be a validating > resolver as well: > > # dig +adflag @ns.lotspeich.org. isc.org. > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4 > [snip] Looks good. > Is it normal that a validating resolver can't validate a domain it is > authoritative for? It could but it doesn't, as it implicitly trusts its storage backend. Instead, you see the AA (authoritative answer) flag instead of AD. > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 If you want BIND to check signatures and set the AD flag, you would have to set up views, with the authoritative zones in one view and forwarding zones in another. Hauke.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
