behavior of dnssec-enable in relation to dnssec-validation
btb at bitrate.net
btb at bitrate.net
Wed Mar 25 02:50:42 UTC 2015
hi-
in the arm, it says "dnssec-enable: Enable DNSSEC support in named. Unless set to yes, named behaves as if it does not support DNSSEC.". "behaves as if it does not support DNSSEC" seemed quite unequivocal to me, so i interpreted this to mean that if dnssec-enable no; is set, no dnssec operations/behavior of any kind would be seen, period, regardless of what other settings might be set. however, it seems that if dnssec-validation auto; is set [i didn't try dnssec-validation yes;], bind does perform dnssec related operations even though dnssec-enable no; is set [from looking briefly at logs with rndc trace 1, i see what appear to be attempts at validation - retrieving ds records, dnskey records, etc].
am i misinterpreting the documentation? misinterpreting the apparent behavior? something else?
thanks
-ben
More information about the bind-users
mailing list