Zitat von Alan Clegg <acl...@isc.org>:

On 10/1/2010 4:50 PM, lst_ho...@kwsoft.de wrote:

Sorry for being unclear. We want the SERVFAIL as it should be for
invalid DNSSEC data *in all cases* eg. even if a client ask with the
cdflag (checking disable) set.

CD means "don't check", so you can't by definition.


That i was afraid of. It's a pitty that there is no way to save the downstream clients from stupid resolvers/downstream caches. At least for security relevant settings there should be a possibility to enforce the desired behaviour and not rely on the client. With the older Bind 9.4 as resolver the result even stay in the cache and later querys with "cdflag" not set deliever the invalid result until expired :-(


bind-users mailing list

Reply via email to