BIND9.11.4-P1] What happens Combination with dnssec-enable yes; dnssec-validation no; in named.conf
Tony Finch
dot at dotat.at
Mon Nov 19 10:23:58 UTC 2018
Sunghwan Kim(IBI) <shkim at ibi.net> wrote:
>
> I would like to know what happens if dnssec-enable yes; dnssec-validation
> no; in named.conf are being setting.
>
> Does it come SERVFAIL ?
No. (But see * below...)
`dnssec-enable` is to do with handling of DNSSEC records and query flags:
setting and recognizing the DO flag and returning RRSIG and NSEC(3)
records in responses, etc. It's necessary if the server is authoritative
for signed zones, or if it is validating, or has clients that validate.
In general you should not have the `dnssec-enable` option in your
configuration file unless you are doing something very strange: leave it
out, the default is correct.
(*) It's possible that if you have broken middleboxes in your network,
your DNS server will not be able to make DNSSEC queries. If so, get the
network fixed :-)
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Irish Sea: East 5 to 7, occasionally 4 at first. Slight or moderate,
occasionally rough later. Showers. Moderate or good.
More information about the bind-users
mailing list