behavior of dnssec-enable in relation to dnssec-validation
/dev/rob0
rob0 at gmx.co.uk
Fri Mar 27 18:50:52 UTC 2015
On Tue, Mar 24, 2015 at 10:50:42PM -0400, btb at bitrate.net wrote:
> in the arm, it says "dnssec-enable: Enable DNSSEC support in named.
> Unless set to yes, named behaves as if it does not support
> DNSSEC.". "behaves as if it does not support DNSSEC" seemed quite
> unequivocal to me, so i interpreted this to mean that if
> dnssec-enable no; is set, no dnssec operations/behavior of any kind
> would be seen, period, regardless of what other settings might be
> set. however, it seems that if dnssec-validation auto; is set [i
> didn't try dnssec-validation yes;], bind does perform dnssec
> related operations even though dnssec-enable no; is set [from
> looking briefly at logs with rndc trace 1, i see what appear to be
> attempts at validation - retrieving ds records, dnskey records,
> etc].
I tested this with a query of dnssec-failed.org/IN/SOA, and indeed,
validation is done and (of course) fails. named-checkconf -p shows:
dnssec-enable no;
dnssec-lookaside auto;
dnssec-validation auto;
> am i misinterpreting the documentation?
Reading on through:
"
dnssec-validation
Enable DNSSEC validation in named. Note dnssec-enable also
needs to be set to yes to be effective. ...
"
This does not seem to be the case. I think bug, whether it's the
documentation or the behavior.
> misinterpreting the apparent behavior? something else?
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
More information about the bind-users
mailing list