I have a validating DNSSEC bind server. I get AD (Authenticated Data)
flag when requesting details from a DNSSEC protected domain. Good.
The point is that when the requested DNS name belongs to a domain with
this server is authoritative and that domain is DNSSEC enabled, no AD
flag is provided in the answer. I guess this is because bind is replying
with DNSSEC data but it doesn't follow that DNSSEC delegation tree in
order to verify that everything is OK and so it doesn't signal safety
with the AD flag.
Is there any way to configure bind to verify DNSSEC integrity and signal
the AD flag for authoritative domains?. Views (it would lose the AA
flag, then)?
What would be the best practice for dnssec verification? To use a fully
validating local resolver? Any other choice? I am currently using a
local "bind" as a resolver and it works fine for DNSSEC verification,
except for my authoritative domains.
--
Jesús Cea Avión _/_/ _/_/_/ _/_/_/
j...@jcea.es - https://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/
Twitter: @jcea _/_/ _/_/ _/_/_/_/_/
jabber / xmpp:j...@jabber.org _/_/ _/_/ _/_/ _/_/ _/_/
"Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/
"My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
