-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Chris,
Thanks for your response -- that explains it. I hope that you don't mind if I continue this discussion with another question. I changed my configuration to use views to separate my external zone (for which BIND is authoritative) from internal clients (which should use BIND as a validating resolver). I now receive the expected behavior - -- sort of. r...@starfish:/home/erik# dig +dnssec +adflag @localhost lotspeich.org ; <<>> DiG 9.6.1 <<>> +dnssec +adflag @localhost lotspeich.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60454 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 [snip] r...@starfish:/home/erik# dig +adflag @localhost lotspeich.org ; <<>> DiG 9.6.1 <<>> +adflag @localhost lotspeich.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3194 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1 As you can see, the ad bit is set when +dnssec is used along with +adflag. However, I can receive the ad bit without +dnssec when making other queries: r...@starfish:/home/erik# dig +adflag isc.org. ; <<>> DiG 9.6.1 <<>> +adflag isc.org. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6612 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4 Is this expected or do I need to fine-tune my configuration further? Thanks, Erik. Chris Buxton wrote: > On Jun 13, 2009, at 4:59 AM, Erik Lotspeich wrote: >> Is it normal that a validating resolver can't validate a domain it is >> authoritative for? > > Absolutely. As Alan Clegg wrote not long ago on this list, this is why a > DNSSEC validating resolver should not be authoritative for any signed > zones. > > Chris Buxton > Professional Services > Men & Mice -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAko4jHMACgkQY21D/n6bGwcU8QCgvliX8Hbu3A0BvTjbo9LxaS8B EBkAn0m0N9btGvXrGaiORug3M03RF7Eh =Fpf5 -----END PGP SIGNATURE----- _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users