Sparklight and DNSSEC
Mark Andrews
marka at isc.org
Tue Sep 27 00:11:30 UTC 2022
> On 27 Sep 2022, at 00:58, Benny Pedersen <me at junc.eu> wrote:
>
> Bjørn Mork skrev den 2022-09-26 08:50:
>> Petr Špaček <pspacek at isc.org> writes:
>>> named.conf statement 'dnssec-enabled yes;' allows forwarding DNSSEC
>>> signatures (and other metadata) without validating them.
>>> named.conf statement 'dnssec-validation auto;' then enables DNSSEC
>>> validation itself.
>>> In other words, it is possible to allow DNSSEC to work for forwarders
>>> without doing validation itself. If the ISP in question resists
>>> enabling DNSSEC then at least 'dnssec-enabled yes; dnssec-validation
>>> no;' configuration would improve situation for people who care.
>> Thanks. Did not know this. Sorry for the disinformation.
>
> imho dnssec-validation auto; have a bug as it validates domains without DS set
Ever answer is supposed to be validated. This is what is REQUIRED by DNSSEC. The
result of that validation can be insecure, valid, or bogus. The presence or absence
of DS at the delegation tells the validator or a answers from a zone should be signed
or not and if they are signed what DNSSEC algorithms are present. It is a myth that
zones without DNSSEC are not validated.
> hope bind developpers can confirm or deny it
>
> dnssec-enabled yes; is depricated in gentoo latest stable version 9.16.30
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list