On Tue, Mar 24, 2015 at 10:50:42PM -0400, b...@bitrate.net wrote: > in the arm, it says "dnssec-enable: Enable DNSSEC support in named. > Unless set to yes, named behaves as if it does not support > DNSSEC.". "behaves as if it does not support DNSSEC" seemed quite > unequivocal to me, so i interpreted this to mean that if > dnssec-enable no; is set, no dnssec operations/behavior of any kind > would be seen, period, regardless of what other settings might be > set. however, it seems that if dnssec-validation auto; is set [i > didn't try dnssec-validation yes;], bind does perform dnssec > related operations even though dnssec-enable no; is set [from > looking briefly at logs with rndc trace 1, i see what appear to be > attempts at validation - retrieving ds records, dnskey records, > etc].
I tested this with a query of dnssec-failed.org/IN/SOA, and indeed, validation is done and (of course) fails. named-checkconf -p shows: dnssec-enable no; dnssec-lookaside auto; dnssec-validation auto; > am i misinterpreting the documentation? Reading on through: " dnssec-validation Enable DNSSEC validation in named. Note dnssec-enable also needs to be set to yes to be effective. ... " This does not seem to be the case. I think bug, whether it's the documentation or the behavior. > misinterpreting the apparent behavior? something else? -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users