GitLab

If named is configured to perform DNSSEC validation and also forwards all queries (forward only;) to validating resolvers, negative trust anchors do not work properly because the CD bit is not set in queries sent to the forwarders. As a result, instead of retrieving bogus DNSSEC material and making validation decisions based on its configuration, named is only receiving SERVFAIL responses to queries for bogus data.

To reproduce the issue:

1. Configure a named instance with forward only; forwarders { 2620:ff:c000:0:1::64:20; }; (OARC Validating Resolver)
2. Add an NTA for dnssec-failed.org: rndc nta dnssec-failed.org.
3. Send a query for bogus data: dig @localhost dnssec-failed.org. - it will SERVFAIL instead of returning an insecure response