Hello
after the root zones are now DNSSEC signed we like to use DNSSEC at
our caching resolvers. I have setup Bind 9.7.0-P1-1 at the border and
basically it is working fine. What i have not managed is to alwawys
force obeying DNSSEC signed zones for resolving eg. if i use "dig
+cdflag www.rhybar.cz" the caching resolver ignores the invalid signed
result set and delivers the A record. If i don't use the "+cdflag" the
result is SERVFAIL (no result).
We have set the following:
dnssec-enable yes;
dnssec-validation yes;
managed-keys { ... }; for the root zone
Are there any settings to never return a result for invalid signed
result sets?
Many Thanks
Andreas
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
