'break-dnssec no' looks at the DO flag and whether the data to be returned is signed. If DO is 1 and the data is signed then the answer is not modified. If DO is 0 then it is modified as the client cannot be performing DNSSEC validation on the response and be expecting it to succeed for responses from signed zones.
‘break-dnssec yes’ ignores the DO flag and whether the data is signed. This is designed to allow forwarded requests to get DNSSEC protection as you can have the policy on multiple servers in the chain to server plain clients. > On 23 Mar 2023, at 00:28, Ondřej Surý <ond...@isc.org> wrote: > > >> On 22. 3. 2023, at 14:26, BONIN Nathanael <boni...@mipih.fr> wrote: >> >> If I add break-dnssec yes ; in my bind conf, it seems to works like I wanted >> to !!! Thanks. > > +1 > >> But what I don’t understand is why, when I use directly SrvA (server that >> have RPZ zone), it works ? > > That's something that's impossible to answer without seeing the full > configuration (named-checkconf -px). > > Ondrej > -- > Ondřej Surý (He/Him) > ond...@isc.org > > My working hours and your working hours may be different. Please do not feel > obligated to reply outside your normal working hours. > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users