On Sun, Dec 20 2020, Mark Andrews wrote: >> On 21 Dec 2020, at 06:04, Matthew Pounsett <m...@conundrum.com> wrote: >> >> >> >> On Fri, 18 Dec 2020 at 18:08, Nicolas Bock <nicolas.b...@canonical.com> >> wrote: >> Thanks Mark. Am I correct then that I need to either convince the >> administrator of that DNS to enable DNSSEC or configure my DNS with >> `dnssec-validation = no`? >> >> The upstream administrator isn't required to be validating DNSSEC for this >> to work, but in order for your DNS server to do DNSSEC validation, their DNS >> server must be DNSSEC aware enough to be requesting DNSSEC data when it >> queries the authoritative DNS servers. Of course, the resilience of the >> whole thing would also be improved by that server also validating. > > Matthew, there is a difference between sometimes getting answers out of a > forwarder that isn’t validating that validate and a system that is working. > If the forwarder is not validating then the system cannot recover from > situations that a iterative validating resolver can recover from.
Thanks Matthew and Mark for the details. I will have a chat with the upstream administrator and see whether I can convince them to enable full DNSSEC on their end. At least at this point I have a better grasp of what and why I am seeing those messages. Thanks! Nick > It is bad advice to deploy validating clients behind forwarders that are not > validating. > >> If they can't or won't update their server, then yes, you'll either have to >> disable validation yourself, or select a better upstream. Personally I'd go >> looking for a better upstream (or just stop using a forwarder entirely, and >> do your own direct recursion, if that's possible in your environment). _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users