Zitat von Alan Clegg <acl...@isc.org>:
On 10/1/2010 4:50 PM, lst_ho...@kwsoft.de wrote:
Sorry for being unclear. We want the SERVFAIL as it should be for
invalid DNSSEC data *in all cases* eg. even if a client ask with the
cdflag (checking disable) set.
CD means "don't check", so you can't by definition.
That i was afraid of. It's a pitty that there is no way to save the
downstream clients from stupid resolvers/downstream caches. At least
for security relevant settings there should be a possibility to
enforce the desired behaviour and not rely on the client. With the
older Bind 9.4 as resolver the result even stay in the cache and later
querys with "cdflag" not set deliever the invalid result until expired
bind-users mailing list