> > Or, if you think you might accidentally sign your zones or configure > > trust anchors, you can: > > > > dnssec-enable no; > > dnssec-validation no; > > > > OK - so if I do the above - will that prevent my recursive server from doing > DNSSEC if it gets information from a DNSSEC signed zone?
Yes, but "don't configure any trust anchors" gets the job done too. If your configuration doesn't say "trusted-keys", "managed-keys", or "dnssec-lookaside auto;" anywhere, then DNSSEC is not in use. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users