On Fri, 18 Dec 2020 at 18:08, Nicolas Bock <nicolas.b...@canonical.com> wrote:
> Thanks Mark. Am I correct then that I need to either convince the > administrator of that DNS to enable DNSSEC or configure my DNS with > `dnssec-validation = no`? > The upstream administrator isn't required to be validating DNSSEC for this to work, but in order for your DNS server to do DNSSEC validation, their DNS server must be DNSSEC aware enough to be requesting DNSSEC data when it queries the authoritative DNS servers. Of course, the resilience of the whole thing would also be improved by that server also validating. If they can't or won't update their server, then yes, you'll either have to disable validation yourself, or select a better upstream. Personally I'd go looking for a better upstream (or just stop using a forwarder entirely, and do your own direct recursion, if that's possible in your environment).
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
