Petr Špaček <pspa...@isc.org> writes: > named.conf statement 'dnssec-enabled yes;' allows forwarding DNSSEC > signatures (and other metadata) without validating them. > > named.conf statement 'dnssec-validation auto;' then enables DNSSEC > validation itself. > > In other words, it is possible to allow DNSSEC to work for forwarders > without doing validation itself. If the ISP in question resists > enabling DNSSEC then at least 'dnssec-enabled yes; dnssec-validation > no;' configuration would improve situation for people who care.
Thanks. Did not know this. Sorry for the disinformation. Bjørn -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users