> What is the best way to log DNSSEC failures in Bind without enforcing
> DNSSEC validation?
>
> That is I want to see what Bind would have rejected because of failed
> DNSSEC validation, but I do not want to return SERVFAIL to my client.
I don't think that is possible without modifying the client(s) to query
with Checking Disabled. It sounds to me as though you're looking for a
"add-cd-to-all-queries" option on a validating BIND recursor; that
doesn't exist, as far as I know.
-JP
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
