All client resolvers support DNSSEC compatible queries ???
Tony Finch
dot at dotat.at
Thu Apr 24 11:19:00 UTC 2014
Carsten Strotmann <cas at strotmann.de> wrote:
>
> You can enable DNSSEC validation support on a BIND 9 caching server that
> is used as a resolver by your clients. BIND 9 9.9.x already comes with
> DNSSEC validation enabled, for older versions you need to enable it
> manually in the configuration.
DNSSEC validation needs to be explicitly enabled in every version of BIND.
Since version 9.8 BIND ships with a built-in root trust anchor, so to
enable validation you can just add "dnssec-validation auto;" (and
"dnssec-lookaside auto;" if you like).
The dnssec-enable option defaults to yes (since version 9.5), but this
just makes BIND DNSSEC-aware (so it supports the special semantics of
DNSSEC RR types) but does not make it validate.
The rest of what you said is correct.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Fair Isle, Faeroes, South-east Iceland: Mainly southeasterly 5 or 6,
decreasing 4 at times. Moderate or rough. Occasional rain, fog patches.
Moderate or good, occasionally very poor.
More information about the bind-users
mailing list