dnssec-validation?
Evan Hunt
each at isc.org
Wed Apr 12 17:07:36 UTC 2023
On Wed, Apr 12, 2023 at 05:41:33PM +0100, David Carvalho via bind-users wrote:
> After reverting my primary dns configuration, and asking my provider to
> remove the DNSKEY, I had to include dnssec-validation no; otherwise it would
> keep answering with SERVFAIL
>
> I noticed the server was constantly trying to reach top domain dns servers.
>
> Is this dnssec-validation mandatory? Any help appreciated.
dnssec-validation can be set three ways:
- "no" (validation is never performed)
- "yes" (validation *may* be performed, but only if you have also
configured a trust anchor in named.conf)
- "auto" (validation will be performed using the standard root zone
trust anchor, which is built in to BIND and doesn't need to be
configured by hand).
The default is "auto". When it's set to that, your server will query the
root name servers in order to confirm that the automatically-configured
trust anchor is correct. You said it was "trying to" reach the root, which
suggests it wasn't succeeding? If so, that would explain why everything
that wasn't locally authoritative would return SERVFAIL.
Note that this is related to *recursive* queries, that is, queries for
zones that are not served by your secondary server. It should have nothing
to do with whether your own domain is signed, or whether there's a DS
record for it in the parent zone. My guess is, you had the authoritative
configuration working fine (otherwise presumably dnssec-analyzer would've
complained), but recursive isn't working.
Unfortunately, since you haven't provided any configuration info or even
the name of the domain you were trying to set up, I can't make any more
educated guesses than that.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list