bind is not validating dnssec

Question

Strange. My bind is not validating dnssec even though I configured it to. Version according to named -V is BIND 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.2 which has a built-in DLV key.

Under options in named.conf

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

But when I query a known bad zone, like doing dig www.dnssec-failed.org @localhost I get IP addresses- not a failure like I was expecting. Any thoughts?

score 3 · Accepted Answer · answered Mar 01 '13 at 13:09

3

don't ask why, but I had the same issue and setting dnssec-validation option to auto instead of yes fixed the issue

answered Mar 01 '13 at 13:09

Rik

46
2

That worked. Thanks. `dnssec-validation auto` and now I get a failure when trying to resolve a bad signed zone. – Crash Override Apr 28 '13 at 05:34

score 2 · Answer 2 · edited Jun 11 '20 at 10:02

According to the reference manual,

"dnssec-validation"

[...]

If set to "auto", DNSSEC validation is enabled, and a default trust-anchor for the DNS root zone is used.

If set to "yes", DNSSEC validation is enabled, but a trust anchor must be manually configured using a "trusted-keys" or "managed-keys" statement.

Therefore, you must either set it to auto mode, or explicitly include "/etc/bind.keys".

score 0 · Answer 3 · answered Apr 25 '17 at 19:26

0

If set to "auto", DNSSEC validation is enabled, and a default trust-anchor for the DNS root zone is used.

the default trust-anchor used is from bind.keys, a default is preloaded out of the box

answered Apr 25 '17 at 19:26

James Flint

1

bind is not validating dnssec

3 Answers3