Actions
Enhancement #292
openDNSSEC authoritative nameservers and validating resolvers should be separated
Start date:
2012-02-13
Due date:
% Done:
0%
Estimated time:
Patch Available:
No
Confirmed:
No
Branch:
Entity:
DuckCorp
Security:
No
Help Needed:
Yes
Description
According to RFC4035 3.1.6 (The AD and CD Bits in an Authoritative Response), it is normal behavior an authoritative nameserver returns AA without AD flag. In bind9 there is no way to either consider authoritative zones data to be authentic « without further validation », or redo validation (which would be silly while serving the zone outside).
Considered solutions:- on DNS servers: try to use a bind9 view for localhost request, which would not share any zone but act as a recursive validating resolver if possible, or use unbound as validating resolver (in resolv.conf only)
- on other servers: use unbound as validating resolver
Actions