Skip to content
  • Michał Kępień's avatar
    Make NTAs work with validating forwarders · bc18163e
    Michał Kępień authored and Evan Hunt's avatar Evan Hunt committed
    If named is configured to perform DNSSEC validation and also forwards
    all queries ("forward only;") to validating resolvers, negative trust
    anchors do not work properly because the CD bit is not set in queries
    sent to the forwarders.  As a result, instead of retrieving bogus DNSSEC
    material and making validation decisions based on its configuration,
    named is only receiving SERVFAIL responses to queries for bogus data.
    Fix by ensuring the CD bit is always set in queries sent to forwarders
    if the query name is covered by an NTA.
    
    (cherry picked from commit 5e804882)
    bc18163e