> On 21 Dec 2020, at 06:04, Matthew Pounsett <m...@conundrum.com> wrote: > > > > On Fri, 18 Dec 2020 at 18:08, Nicolas Bock <nicolas.b...@canonical.com> wrote: > Thanks Mark. Am I correct then that I need to either convince the > administrator of that DNS to enable DNSSEC or configure my DNS with > `dnssec-validation = no`? > > The upstream administrator isn't required to be validating DNSSEC for this to > work, but in order for your DNS server to do DNSSEC validation, their DNS > server must be DNSSEC aware enough to be requesting DNSSEC data when it > queries the authoritative DNS servers. Of course, the resilience of the > whole thing would also be improved by that server also validating.
Matthew, there is a difference between sometimes getting answers out of a forwarder that isn’t validating that validate and a system that is working. If the forwarder is not validating then the system cannot recover from situations that a iterative validating resolver can recover from. It is bad advice to deploy validating clients behind forwarders that are not validating. > If they can't or won't update their server, then yes, you'll either have to > disable validation yourself, or select a better upstream. Personally I'd go > looking for a better upstream (or just stop using a forwarder entirely, and > do your own direct recursion, if that's possible in your environment). -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
