Le 22/12/2022 à 14:30, Jesus Cea a écrit :
I have a validating DNSSEC bind server. I get AD (Authenticated Data)
flag when requesting details from a DNSSEC protected domain. Good.
The point is that when the requested DNS name belongs to a domain with
this server is authoritative and that domain is DNSSEC enabled, no AD
flag is provided in the answer. I guess this is because bind is
replying with DNSSEC data but it doesn't follow that DNSSEC delegation
tree in order to verify that everything is OK and so it doesn't signal
safety with the AD flag.
Is there any way to configure bind to verify DNSSEC integrity and
signal the AD flag for authoritative domains?. Views (it would lose
the AA flag, then)?
What would be the best practice for dnssec verification? To use a
fully validating local resolver? Any other choice? I am currently
using a local "bind" as a resolver and it works fine for DNSSEC
verification, except for my authoritative domains.
If you trust your server for the AD bit, you could trust it for AA bit
without AD bit.
Otherwise you should go for a local validating server. It is a policy
decision.
Emmanuel.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
