On 10/5/2011 5:21 AM, Sergio Charpinel Jr. wrote: > After suplying DS and the respective NS record for subdomain in the > parent zone (domain.com), it works. If I disable dnssec in my > recursive server, it also works. > So, if a zone is not signed properly (or doesnt have DS records) the > query will fail? Isn't it better to query those misconfigured servers > without DNSSEC, just like it does when the zone is not signed?
Without the necessary NS records in the parent, the zone was never correctly delegated. It worked, but only due to a fluke of being served on the same server as its parent zone. Implementing DNSSEC made you fix your zone. This is not a bad thing. There is no reason to "try again without DNSSEC" if you get a failure, because that failure means it didn't work. You may end up trying different authoritative servers if you get a failure (to work around poisoned or disrupted servers), but you don't ever fall back to non-DNSSEC lookups on zones that should be secure. AlanC -- a...@clegg.com 1.919.355.8851
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
