DNSSEC authoritative nameservers and validating resolvers should be separated
According to RFC4035 3.1.6 (The AD and CD Bits in an Authoritative Response), it is normal behavior an authoritative nameserver returns AA without AD flag. In bind9 there is no way to either consider authoritative zones data to be authentic « without further validation », or redo validation (which would be silly while serving the zone outside).Considered solutions:
- on DNS servers: try to use a bind9 view for localhost request, which would not share any zone but act as a recursive validating resolver if possible, or use unbound as validating resolver (in resolv.conf only)
- on other servers: use unbound as validating resolver
#1 Updated by Marc Dequènes over 7 years ago
Maybe having unbound listen on 127.0.0.1, have resolv.conf use it, and bind9 servers always listen only on external IPs would be a simpler and an easier to maintain configuration (i'm less and less thinking a view could help because it still has to revolve which probably will become an impossible request loop).