> On 23 Dec 2022, at 01:13, Emmanuel Fusté <manu.fu...@gmail.com> wrote: > > Le 22/12/2022 à 14:30, Jesus Cea a écrit : >> I have a validating DNSSEC bind server. I get AD (Authenticated Data) flag >> when requesting details from a DNSSEC protected domain. Good. >> >> The point is that when the requested DNS name belongs to a domain with this >> server is authoritative and that domain is DNSSEC enabled, no AD flag is >> provided in the answer. I guess this is because bind is replying with DNSSEC >> data but it doesn't follow that DNSSEC delegation tree in order to verify >> that everything is OK and so it doesn't signal safety with the AD flag. >> >> Is there any way to configure bind to verify DNSSEC integrity and signal the >> AD flag for authoritative domains?. Views (it would lose the AA flag, then)? >> >> What would be the best practice for dnssec verification? To use a fully >> validating local resolver? Any other choice? I am currently using a local >> "bind" as a resolver and it works fine for DNSSEC verification, except for >> my authoritative domains. >> > If you trust your server for the AD bit, you could trust it for AA bit > without AD bit. > Otherwise you should go for a local validating server. It is a policy > decision.
Or you should do what was originally intended to happen and have your applications validate the data using DNSSEC. Without a tamper proof channel between the validating recursive resolver and the client you should not trust AD. > Emmanuel. > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
