On 10/1/2010 4:26 PM, lst_ho...@kwsoft.de wrote:
> Hello
> after the root zones are now DNSSEC signed we like to use DNSSEC at our
> caching resolvers. I have setup Bind 9.7.0-P1-1 at the border and
> basically it is working fine. What i have not managed is to alwawys
> force obeying DNSSEC signed zones for resolving eg. if i use "dig
> +cdflag www.rhybar.cz" the caching resolver ignores the invalid signed
> result set and delivers the A record. If i don't use the "+cdflag" the
> result is SERVFAIL (no result).


> Are there any settings to never return a result for invalid signed
> result sets?

SERVFAIL is what is the correct response when data is invalid.  I'm not
sure what you actually want...  If you "never return a result", the user
on the other end will continue to attempt to resolve the (bad) zone.


Attachment: signature.asc
Description: OpenPGP digital signature

bind-users mailing list

Reply via email to