On Sun, Dec 20 2020, Mark Andrews wrote:

>> On 21 Dec 2020, at 06:04, Matthew Pounsett <m...@conundrum.com> wrote:
>> 
>> 
>> 
>> On Fri, 18 Dec 2020 at 18:08, Nicolas Bock <nicolas.b...@canonical.com> 
>> wrote:
>> Thanks Mark. Am I correct then that I need to either convince the 
>> administrator of that DNS to enable DNSSEC or configure my DNS with 
>> `dnssec-validation = no`?
>> 
>> The upstream administrator isn't required to be validating DNSSEC for this 
>> to work, but in order for your DNS server to do DNSSEC validation, their DNS 
>> server must be DNSSEC aware enough to be requesting DNSSEC data when it 
>> queries the authoritative DNS servers.  Of course, the resilience of the 
>> whole thing would also be improved by that server also validating.
>
> Matthew, there is a difference between sometimes getting answers out of a 
> forwarder that isn’t validating that validate and a system that is working.  
> If the forwarder is not validating then the system cannot recover from 
> situations that a iterative validating resolver can recover from.

Thanks Matthew and Mark for the details. I will have a chat
with the upstream administrator and see whether I can
convince them to enable full DNSSEC on their end. At least
at this point I have a better grasp of what and why I am
seeing those messages.

Thanks!

Nick

> It is bad advice to deploy validating clients behind forwarders that are not 
> validating.
>
>> If they can't or won't update their server, then yes, you'll either have to 
>> disable validation yourself, or select a better upstream.  Personally I'd go 
>> looking for a better upstream (or just stop using a forwarder entirely, and 
>> do your own direct recursion, if that's possible in your environment).

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to