In message <006001cb7ffe$7a6f5b10$6f4e11...@eurid.eu>, "Marc Lampo" writes: > Hello, > > > > Much attention has been given to DNSSEC - how it brings security - the > "chain-of-trust" - the root zone signed - activities of tld's to get > signed - ... > but we - I belong to an organisation in charge of a tld - should also pay > attention to the validating, client, side of DNSSEC. > > What I see in practice, but which might simply be "implementation" of a > name service, > > is that a forwarding + validating name server, > > that forwards to a caching name server which is not aware of DNSSEC, > > cannot resolve anything : all responses for either signed or unsigned > domains return SERVFAIL !
This is expected. The forwarder MUST be dnssec aware otherwise it will not return the correct answers to queries with DO set and SHOULD be validating itself so that bogus results are not cached. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
