Home / server / Questions / 472606
Accepted
Crash Override
Asked: 2013-01-26 23:14:42 +0800 CST

bind is not validating dnssec

  • 772

Strange. My bind is not validating dnssec even though I configured it to. Version according to named -V is BIND 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.2 which has a built-in DLV key.

Under options in named.conf

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

But when I query a known bad zone, like doing dig www.dnssec-failed.org @localhost I get IP addresses- not a failure like I was expecting. Any thoughts?

linux

3 Answers

  1. Best Answer

    don't ask why, but I had the same issue and setting dnssec-validation option to auto instead of yes fixed the issue

    • 3

  2. According to the reference manual,

    "dnssec-validation"

    [...]

    If set to "auto", DNSSEC validation is enabled, and a default trust-anchor for the DNS root zone is used.

    If set to "yes", DNSSEC validation is enabled, but a trust anchor must be manually configured using a "trusted-keys" or "managed-keys" statement.

    Therefore, you must either set it to auto mode, or explicitly include "/etc/bind.keys".

    • 2

  3. If set to "auto", DNSSEC validation is enabled, and a default trust-anchor for the DNS root zone is used.

    the default trust-anchor used is from bind.keys, a default is preloaded out of the box

    • 0