On Sat, 2022-12-03 at 15:48 +0000, John Scott wrote: > > Where am I making a mistake, please ? > > I think I know the problem. On the client machine, by default glibc > doesn't indicate to applications that DNS records were signed via > DNSSEC. This is because, how is glibc to know whether the DNS servers > it's getting its records from is supposed to be considered > trustworthy? It might be some DNS server set up by your ISP or > something, and you might not want to place your full trust in them. > > I believe your server is configured correctly. However, in order for > GNU/Linux clients to take advantage of DNSSEC, they typically need to > run validating DNS resolvers locally that can be trusted, AND set a > glibc option in /etc/resolv.conf letting glibc know that the > signatures can be trusted. > > I'm not a DNS aficionado, so someone please correct me if I got the > details wrong
Thanks, John, I am following this clue. Kind regards, André