On 1/6/2011 3:38 AM, Eivind Olsen wrote: > I seem to remember seeing something about DNSSEC validation not working > when a BIND server is used both to serve the DNSSEC signed zone > authoritatively, and as a resolver? Unfortunately, I haven't managed to > find this information again, and now I'm wondering if it was all in my > head.
The problem you run into is that recursive servers are the ones that do validation (returning the AD bit) while authoritative servers return the AA bit (mutually exclusive with the AD bit). Mixing the functions causes your server to return AD bits for things that it is not authoritative for (and can validate) and AA for things that it is authoritative for (even if validatable), causing clients that care about such things a bit of heartburn. As Mark has said, "match-recursive" can be used to persuade your server to respond with the appropriate header bits if your clients actually care. > (Yes, I know it's best practice to combine the authoritative + recursive > functionality) [...] it's NOT best [...] AlanC
signature.asc
Description: OpenPGP digital signature
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
