dnssec-validation?

David Carvalho david at di.ubi.pt
Thu Apr 13 09:23:16 UTC 2023 

Hello and thank you for the reply.
My domain is "di.ubi.pt". The parent domain "ubi.pt" recently configured
DNSSEC (BIND 9.11) so it was time again for me to try to set it up for my
domain.

A few months ago I updated both dns servers to Oracle Linux 8, running BIND
9.16.23 to prepare for this.
They seem to be working fine as previously, running as both recursive and
authoritative for di.ubi.pt.

DNS2 has still "dnssec-validation auto;" on its  /etc/named.conf.
I've found out that if I wanted my primary server to start answering my
internal requests for outside "di.ubi.pt" I had to change dnssec-validation
to "no".
I still don't understand why, to be honest.

Yesterday I set dnssec-validation to auto on my primary server, but as I
wrote before, although outside tools showed everything was fine, my server
kept answering "SERVFAIL" to my client queries. I don't think I tested
dnssec-validation to no when dnssec was enabled, nor if this makes much
sense, but I can try.

Kind regards
David 






On Wed, Apr 12, 2023 at 05:41:33PM +0100, David Carvalho via bind-users
wrote:
> After reverting my primary dns configuration, and asking my provider 
> to remove the DNSKEY, I had to include dnssec-validation no; otherwise 
> it would keep answering with SERVFAIL
> 
> I noticed the server was constantly trying to reach top domain dns
servers.
> 
> Is this dnssec-validation mandatory? Any help appreciated.

dnssec-validation can be set three ways:
 - "no" (validation is never performed)
 - "yes" (validation *may* be performed, but only if you have also
   configured a trust anchor in named.conf)
 - "auto" (validation will be performed using the standard root zone
   trust anchor, which is built in to BIND and doesn't need to be
   configured by hand).

The default is "auto". When it's set to that, your server will query the
root name servers in order to confirm that the automatically-configured
trust anchor is correct.  You said it was "trying to" reach the root, which
suggests it wasn't succeeding?  If so, that would explain why everything
that wasn't locally authoritative would return SERVFAIL.

Note that this is related to *recursive* queries, that is, queries for zones
that are not served by your secondary server.  It should have nothing to do
with whether your own domain is signed, or whether there's a DS record for
it in the parent zone. My guess is, you had the authoritative configuration
working fine (otherwise presumably dnssec-analyzer would've complained), but
recursive isn't working.

Unfortunately, since you haven't provided any configuration info or even the
name of the domain you were trying to set up, I can't make any more educated
guesses than that.

--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list