BIND 9.14.8
Havard Eidnes
he at uninett.no
Mon Dec 9 09:58:07 UTC 2019
> BIND 9.14.8 (Stable Release)
> When I start the server, I get such a prompt. Are there any parameters I
> [can] turn off? After all, not all servers implement DNSSEC
>
> 09-Dec-2019 16:17:46.497 dnssec: warning: managed-keys-zone: Unable to
> fetch DNSKEY set '.': timed out
This appears to be an indication that your recursive server is unable
to speak direcly with the root name servers, I would think? You could
probably debug that with "dig"; you could try
dig @<root-name-server> . dnskey
While it is most certainly true that not all publishing name servers
implement DNSSEC, that is not a necessary requirement for enabling
DNSSEC processing in your recursive name server. BIND will figure out
by itself if lookups in the target zone should be DNSSEC-validated
(signaled by the presence of a signed DS record for the zone in the
parent zone), and will only do DNSSEC validation if that is the case,
allowing incremental deployment.
Regards,
- Håvard
More information about the bind-users
mailing list