Duchscher, Dave J via bind-users <bind-users@lists.isc.org> wrote: > We have an internal DNS server that we would like to forward its > outgoing queries to a main DNS server that connects to the outside world > and is doing DNSSEC validation. The problem is that the DNSSEC > validation doesn't work for queries from the internal DNS server. > Doing DNSSEC validation on the internal DNS server that is forwarding to > the main DNS server has been problematic with some domain failing > intermittently and others just not working at all. Is there a way to > allow the main DNS server handle DNSSEC validation?
In this situation, with multiple tiers of caches, if you want DNSSEC validation, you should turn it on everywhere you can. It sounds to me like your outer server has somehow got data in its cache that can't be validated by the inner server (though I'm not entirely sure how that might happen). If they both validate then I would expect the problems to go away. -- Tony Finch <f...@isc.org> (he/they) Cambridge, England Rockall, Malin, Hebrides: North or northeast 4 to 6, occasionally 7 at first. Moderate or rough. Wintry showers. Good, occasionally poor. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
