after the root zones are now DNSSEC signed we like to use DNSSEC at our caching resolvers. I have setup Bind 9.7.0-P1-1 at the border and basically it is working fine. What i have not managed is to alwawys force obeying DNSSEC signed zones for resolving eg. if i use "dig +cdflag www.rhybar.cz" the caching resolver ignores the invalid signed result set and delivers the A record. If i don't use the "+cdflag" the result is SERVFAIL (no result).

We have set the following:

dnssec-enable yes;
dnssec-validation yes;

managed-keys { ... };    for the root zone

Are there any settings to never return a result for invalid signed result sets?

Many Thanks


bind-users mailing list

Reply via email to