bind9

mirror of https://github.com/isc-projects/bind9.git synced 2026-02-28 12:31:29 -05:00

History

Michał Kępień 5e80488270 Make NTAs work with validating forwarders If named is configured to perform DNSSEC validation and also forwards all queries ("forward only;") to validating resolvers, negative trust anchors do not work properly because the CD bit is not set in queries sent to the forwarders. As a result, instead of retrieving bogus DNSSEC material and making validation decisions based on its configuration, named is only receiving SERVFAIL responses to queries for bogus data. Fix by ensuring the CD bit is always set in queries sent to forwarders if the query name is covered by an NTA.	2019-05-09 19:55:35 -07:00
..
named.conf.in	Make NTAs work with validating forwarders	2019-05-09 19:55:35 -07:00

Michał Kępień 5e80488270 Make NTAs work with validating forwarders

If named is configured to perform DNSSEC validation and also forwards
all queries ("forward only;") to validating resolvers, negative trust
anchors do not work properly because the CD bit is not set in queries
sent to the forwarders.  As a result, instead of retrieving bogus DNSSEC
material and making validation decisions based on its configuration,
named is only receiving SERVFAIL responses to queries for bogus data.
Fix by ensuring the CD bit is always set in queries sent to forwarders
if the query name is covered by an NTA.

2019-05-09 19:55:35 -07:00

named.conf.in

Make NTAs work with validating forwarders

2019-05-09 19:55:35 -07:00