On 10/1/2010 4:26 PM, lst_ho...@kwsoft.de wrote: > Hello > > after the root zones are now DNSSEC signed we like to use DNSSEC at our > caching resolvers. I have setup Bind 9.7.0-P1-1 at the border and > basically it is working fine. What i have not managed is to alwawys > force obeying DNSSEC signed zones for resolving eg. if i use "dig > +cdflag www.rhybar.cz" the caching resolver ignores the invalid signed > result set and delivers the A record. If i don't use the "+cdflag" the > result is SERVFAIL (no result).
[..] > Are there any settings to never return a result for invalid signed > result sets? SERVFAIL is what is the correct response when data is invalid. I'm not sure what you actually want... If you "never return a result", the user on the other end will continue to attempt to resolve the (bad) zone. AlanC
Description: OpenPGP digital signature
_______________________________________________ bind-users mailing list firstname.lastname@example.org https://lists.isc.org/mailman/listinfo/bind-users