Zitat von Alan Clegg <acl...@isc.org>:

On 10/1/2010 4:26 PM, lst_ho...@kwsoft.de wrote:

after the root zones are now DNSSEC signed we like to use DNSSEC at our
caching resolvers. I have setup Bind 9.7.0-P1-1 at the border and
basically it is working fine. What i have not managed is to alwawys
force obeying DNSSEC signed zones for resolving eg. if i use "dig
+cdflag www.rhybar.cz" the caching resolver ignores the invalid signed
result set and delivers the A record. If i don't use the "+cdflag" the
result is SERVFAIL (no result).


Are there any settings to never return a result for invalid signed
result sets?

SERVFAIL is what is the correct response when data is invalid.  I'm not
sure what you actually want...  If you "never return a result", the user
on the other end will continue to attempt to resolve the (bad) zone.

Sorry for being unclear. We want the SERVFAIL as it should be for invalid DNSSEC data *in all cases* eg. even if a client ask with the cdflag (checking disable) set.

Many Thanks


bind-users mailing list

Reply via email to