DNSSEC support in libbind
Paul Vixie
Paul_Vixie at isc.org
Mon Mar 5 14:46:26 UTC 2007
Simon Vallet <svallet at genoscope.cns.fr> writes:
> > > So it seems the resolver does not recognize the RRSIG RR for some
> > > reason...
> > >
> > > Any hint ?
> >
> > libbind is just a copy of BIND8-based old resolver implementation, so
> > it's not surprising that it does not recognize newly defined RR
> > type(s). It may not be very hard to add a simple parser for such RRs
> > to libbind, but if what you are expecting is to validate the result
> > based on the DNSSEC protocol, libbind is clearly not the right tool.
>
> Yes -- I initially thought it was a validating stub-resolver
> implementation, but it appears it is not.
see above where it says "BIND8" and "old".
> Actually, I would have expected BIND to set the AD bit on authoritative
> replies -- this would have solved the problem simply (although
> admittedly not very elegantly).
you have to enable dnssec in your server to get that behaviour.
> We'll probably give a try at other resolver implementations.
be sure to try the BIND9 resolver.
--
Paul Vixie
More information about the bind-users
mailing list