Sparklight and DNSSEC
Benny Pedersen
me at junc.eu
Mon Sep 26 14:58:02 UTC 2022
Bjørn Mork skrev den 2022-09-26 08:50:
> Petr Špaček <pspacek at isc.org> writes:
>
>> named.conf statement 'dnssec-enabled yes;' allows forwarding DNSSEC
>> signatures (and other metadata) without validating them.
>>
>> named.conf statement 'dnssec-validation auto;' then enables DNSSEC
>> validation itself.
>>
>> In other words, it is possible to allow DNSSEC to work for forwarders
>> without doing validation itself. If the ISP in question resists
>> enabling DNSSEC then at least 'dnssec-enabled yes; dnssec-validation
>> no;' configuration would improve situation for people who care.
>
> Thanks. Did not know this. Sorry for the disinformation.
imho dnssec-validation auto; have a bug as it validates domains without
DS set
hope bind developpers can confirm or deny it
dnssec-enabled yes; is depricated in gentoo latest stable version
9.16.30
More information about the bind-users
mailing list