Hello, > I seem to remember seeing something about DNSSEC validation not working > when a BIND server is used both to serve the DNSSEC signed zone > authoritatively, and as a resolver? Unfortunately, I haven't managed to > find this information again, and now I'm wondering if it was all in my > head.
This may not be the reference you cannot find, but at EURid, registry for the eu top level domain, we have an "EU Insights" available that also addresses - bogus and validating name servers (which is your case) (pg 15 + 16) - validating forwarding name server (pg 17 + 18) Cfr http://www.eurid.eu/files/Insights_DNSSEC2.pdf Basically, a bogus, yet validating name server, is not a problem. The name server uses its local data first, answers do not have the "AD" bit set. It would be a problem if a validating NS forwards towards this bogus name server, even regardless if the bogus name server is DNSSEC aware or not. Kind regards, Marc Lampo Security Officer EURid Woluwelaan 150 1831 Diegem - Belgium marc.la...@eurid.eu http://www.eurid.eu _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
