Sparklight and DNSSEC
Petr Špaček
pspacek at isc.org
Mon Sep 26 07:28:02 UTC 2022
On 26. 09. 22 9:15, sthaug at nethelp.no wrote:
>> Please allow me to correct this:
>>
>> named.conf statement 'dnssec-enabled yes;' allows forwarding DNSSEC
>> signatures (and other metadata) without validating them.
>
> Slight problem here: My 9.18.5 named doesn't know about dnssec-enabled:
>
> Sep 26 09:00:51 xxx named[38797]: /usr/local/etc/namedb/named.conf:18: unknown option 'dnssec-enabled'
>
> A bit of searching makes it look like dnssec-enable is what we want,
> but:
>
> Sep 26 09:08:21 xxx named[38797]: /usr/local/etc/namedb/named.conf:18: option 'dnssec-enable' no longer exists
>
> What am I missing here?
Oh, I'm sorry.
I forgot this option was removed and DNSSEC metadata are _always_ passed
around in modern versions of BIND.
It is that way since 9.16.0, and the option was completely removed in
9.17.0.
I think that underlines the point that filtering DNSSEC metadata is a
bad idea :-)
--
Petr Špaček
Internet Systems Consortium
More information about the bind-users
mailing list