mirror of
https://github.com/isc-projects/bind9.git
synced 2026-04-22 14:49:20 -04:00
c6bf43a821
If named is configured to perform DNSSEC validation and also forwards
all queries ("forward only;") to validating resolvers, negative trust
anchors do not work properly because the CD bit is not set in queries
sent to the forwarders. As a result, instead of retrieving bogus DNSSEC
material and making validation decisions based on its configuration,
named is only receiving SERVFAIL responses to queries for bogus data.
Fix by ensuring the CD bit is always set in queries sent to forwarders
if the query name is covered by an NTA.
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| ns1 | ||
| ns2 | ||
| ns3 | ||
| ns4 | ||
| ns5 | ||
| ns6 | ||
| ns7 | ||
| ns8 | ||
| ns9 | ||
| signer | ||
| clean.sh | ||
| dnssec_update_test.pl | ||
| ntadiff.pl | ||
| prereq.sh | ||
| README | ||
| setup.sh | ||
| tests.sh | ||
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
The test setup for the DNSSEC tests has a secure root.
ns1 is the root server.
ns2 and ns3 are authoritative servers for the various test domains.
ns4 is a caching-only server, configured with the correct trusted key
for the root.
ns5 is a caching-only server, configured with the an incorrect trusted
key for the root. It is used for testing failure cases.
ns6 is a caching-only server configured to use DLV.
ns7 is used for checking non-cacheable answers.
ns8 is a caching-only server, configured with unsupported and disabled
algorithms. It is used for testing failure cases.