On Wed, Feb 03, 2016 at 08:37:27AM +0100, Thomas Sturm wrote: > Am I doing something wrong, or is this not the actual intended usage of > this option?
That's not the intended usage. dnssec-must-be-secure means what it says: the answers in this domain *must be secure*. Everything has to be signed and validate correctly. If it gets an unsigned answer, it is presumed to be a forgery. > Of course, my use case is not resolving broken DNSSEC zones, but > resolving forwarded local zones (non-existing TLD), however, above > example should make the question more obvious. I would suggest slaving the local zone instead of forwarding it. -- Evan Hunt -- [email protected] Internet Systems Consortium, Inc. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
