On Mar 30, 2022, at 4:43 PM, Tony Finch <f...@isc.org> wrote: > > > We have an internal DNS server that we would like to forward its > > outgoing queries to a main DNS server that connects to the outside world > > and is doing DNSSEC validation. The problem is that the DNSSEC > > validation doesn't work for queries from the internal DNS server. > > Doing DNSSEC validation on the internal DNS server that is forwarding to > > the main DNS server has been problematic with some domain failing > > intermittently and others just not working at all. Is there a way to > > allow the main DNS server handle DNSSEC validation? > > In this situation, with multiple tiers of caches, if you want DNSSEC > validation, you should turn it on everywhere you can. > > It sounds to me like your outer server has somehow got data in its cache > that can't be validated by the inner server (though I'm not entirely sure > how that might happen). If they both validate then I would expect the > problems to go away.
We are dropping this configuration and looking at doing something else. It has come very clear after much testing with different DNS services, unbound, and named that forwarding with named with DNSSEC validation turned on to another named server has problems with the DNS data out in the world. For us, this shows up with cloud based services that play fast and loose with the DNS specifications. We have had intermittent issues with Slack, Microsoft, and a growing list of domains. Even have one that consistently fails. I am just posting this as a caution to others that you may have problems with DNSSEC validation in this configuration. -- Dave -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
