> On Oct 17, 2017, at 5:58 AM, Mal <m...@jetlan.com> wrote:
>
> Bingo. That information certainly explains the behavior observed.
>
> Does this therefore require DNSSEC-validation to be set to "no" (for the
> authoritative NS):
> dnssec-enable yes;
This must stay "yes" or else you DoS your domain.
> dnssec-validation no;
This is ignored for authoritative zones, and useful for recursive
servers. So long as your server continues to provide both authoritative
and recursive service (not a good idea), you should leave this in place.
The right thing to do is to deploy a separate validating recursive server,
use that in resolv.conf and then disable recursion in the authoritative
server, at which point this setting makes no difference.
> dnssec-lookaside auto;
This is obsolete, the ISC DLV zone is now empty, so this should be set
to "no" in all recursive BIND servers.
--
Viktor.
