On 18/10/2017 3:56 PM, Viktor Dukhovni wrote: >> dnssec-validation no; > > This is ignored for authoritative zones, and useful for recursive > servers. So long as your server continues to provide both authoritative > and recursive service (not a good idea), you should leave this in place. > > The right thing to do is to deploy a separate validating recursive server, > use that in resolv.conf and then disable recursion in the authoritative > server, at which point this setting makes no difference.
Right thing done, set to 'no' and resolver work sent elsewhere. Dane record returning perfectly now, on posttls-finger, for that domain. >> dnssec-lookaside auto; > > This is obsolete, the ISC DLV zone is now empty, so this should be set > to "no" in all recursive BIND servers. > I deleted this guy. Thanks Viktor. Mal
