Stephane Bortzmeyer wrote: > I configure a BIND 9.5.0 P2 which is both a DNSSEC-validating resolver > and an authoritative server. > > With proper trust anchors, it DNSSEC-validates domains like iis.se or > sources.org and sets the AD bit in the answers to 'dig +dnssec XXX > iis.se'. > > Except for one domain, generic-nic.net, for which this BIND is > authoritative: here, I get the right answer but without the AD bit. > > If I delete this domain from the list of zones served by this BIND, I > get the AD bit again. > > Is it normal? Should the client be happy with just the AA bit?
Authoritative servers will never set the AD bit for their own zones. To get "correctly set bits", you must go through a validating recursive server. Consider this conversation: "Is your name Alan?" "Yes, it is, and I will guarantee that it is because I say it is" For this reason (if for no other), I strongly recommend that the roles of authoritative and recursive servers be split. AlanC
signature.asc
Description: OpenPGP digital signature
_______________________________________________ bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
