I am upgrading and redeploying some authoritative-only BIND servers. Two
questions about some fine points:
What to set 'dnssec-validation'? Just let it default to 'auto?' There is no
need or opportunity for an authoritative-only server to validate (right?).
Should we actively switch it off, set
Also authoritative servers lookup information. This includes addresses of
nameservers to send NOTIFY messages. DS queries as part of DNSSEC key
management. DNSKEY queries as part of DNSSEC trust anchor management. Plus
whatever else is required to resolve those queries.
--
Mark Andrews
>
Hi cjc.
My answers would be:
- Leave `dnssec-validation` alone (auto) and ensure your server has a path
to the Internet to make queries.
- Don't mess with root hints. The only time anyone should need to do this
is when running a completely captive server living in a custom namespace
that is NOT
3 matches
Mail list logo
