What is the best way to log DNSSEC failures in Bind without enforcing
DNSSEC validation?
That is I want to see what Bind would have rejected because of failed
DNSSEC validation, but I do not want to return SERVFAIL to my client.
I don't think that is possible without modifying the client(s) to query
with Checking Disabled. It sounds to me as though you're looking for a
add-cd-to-all-queries option on a validating BIND recursor; that
doesn't exist, as far as I know.
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users