MoinQ:

ルートゾーンKSK/DNSSEC-bindについて、ここに記述してください。

https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2

権威サーバー側はDNSSECを使っている可能性がある。

How To Setup DNSSEC on an Authoritative BIND DNS Server

DNSSEC Master Configuration

Enable DNSSEC by adding the following configuration directives inside options{ }

nano /etc/bind/named.conf.options

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

1. resolver設定

http://www.zytrax.com/books/dns/ch7/security.html

dnssec-enable yes; default

dnssec-validation indicates that a resolver (a caching or caching-only name server) will attempt to validate replies from DNSSEC enabled (signed) zones.

-- ToshinoriMaeno 2017-07-25 00:04:35