On Tue, Mar 24, 2015 at 10:50:42PM -0400, b...@bitrate.net wrote:
in the arm, it says dnssec-enable: Enable DNSSEC support in named.
Unless set to yes, named behaves as if it does not support
DNSSEC.. behaves as if it does not support DNSSEC seemed quite
unequivocal to me, so i interpreted this to mean that if
dnssec-enable no; is set, no dnssec operations/behavior of any kind
would be seen, period, regardless of what other settings might be
set. however, it seems that if dnssec-validation auto; is set [i
didn't try dnssec-validation yes;], bind does perform dnssec
related operations even though dnssec-enable no; is set [from
looking briefly at logs with rndc trace 1, i see what appear to be
attempts at validation - retrieving ds records, dnskey records,
etc].
I tested this with a query of dnssec-failed.org/IN/SOA, and indeed,
validation is done and (of course) fails. named-checkconf -p shows:
dnssec-enable no;
dnssec-lookaside auto;
dnssec-validation auto;
am i misinterpreting the documentation?
Reading on through:
dnssec-validation
Enable DNSSEC validation in named. Note dnssec-enable also
needs to be set to yes to be effective. ...
This does not seem to be the case. I think bug, whether it's the
documentation or the behavior.
misinterpreting the apparent behavior? something else?
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users