On 22/12/2022 13:30, Jesus Cea wrote:
I have a validating DNSSEC bind server. I get AD (Authenticated Data)
flag when requesting details from a DNSSEC protected domain. Good.
The point is that when the requested DNS name belongs to a domain with
this server is authoritative and that domain is DNSSEC enabled, no AD
flag is provided in the answer. I guess this is because bind is replying
with DNSSEC data but it doesn't follow that DNSSEC delegation tree in
order to verify that everything is OK and so it doesn't signal safety
with the AD flag.
Is there any way to configure bind to verify DNSSEC integrity and signal
the AD flag for authoritative domains?. Views (it would lose the AA
flag, then)?
What would be the best practice for dnssec verification? To use a fully
validating local resolver? Any other choice? I am currently using a
local "bind" as a resolver and it works fine for DNSSEC verification,
except for my authoritative domains.
You can achieve this by using a hidden-primary and then using "mirror
zones" on the secondaries. They will return +AD, but not AA.
FWIW, adding your own auth data to a recursive server is this manner is
IMHO completely fine - it's what we do at ISC for our own internal
recursors.
On the other hand, having recursive lookups happen on a server that is a
designated authoritative server (in the NS set) is regarded as bad practise.
cheers,
Ray
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
