On Mon, Nov 20, 2023 at 03:30:13PM +1300, Nick Tait via bind-users wrote: ! On 20/11/2023 1:00 pm, Peter wrote: ! > It's tricky. One problem is these are slave zones, they are ! > authoritative and do not work well with DNSSEC. ! ! I'm curious... What issues did you have with these zones and DNSSEC? I would ! have expected that the signed zones should just work?
Probably they do just work. But then, when I query a nonexistent domain from a simple root-slave, the answer carries an AA flag. When I query the same nonexistent domain from 8.8.8.8, it carries an AD flag. Also, somewhere in the depths of the ISC docs and tutorials I found a paper that shows how to setup the root-slave for DNSSEC so that it does recurse and validate (and that is from where I started to adapt my config). So likely there is an issue somewhere. cheerio, PMc -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users