10-26-2021 11:53 AM - edited 10-26-2021 02:25 PM
Hello, I have a question regarding DNSSEC.
Do we need to enable recursion on the Name Servers used to host a signed zone (DNSSEC)?
I'm asking as the below PDF doc says recursion must be enabled as a Pre-requisite for DNSSEC Validation.
1. EDNS0 must be enabled and supported by your networking equipment.
a. Check the section Troubleshooting for a quick method on how to test if your environment
2. Recursion must be enabled
Also, we have tested DNSSEC in one Lab server with recursion disable and as per https://dnssec-debugger.verisignlabs.com/ output everything is green.
So, I'm not sure why the Name servers must to have Recursion enabled or what it means.
Let me know your comments.
Thanks in Advance.
10-29-2021 09:22 PM
DNSSEC validation is when your server is querying other servers. It's unrelated to signing zones on your authoritative servers.