DNSSEC support in libbind
Simon Vallet
svallet at genoscope.cns.fr
Mon Mar 5 14:06:01 UTC 2007
On Mon, 05 Mar 2007 10:50:41 +0900
JINMEI Tatuya / 神明達哉 <jinmei at isl.rdc.toshiba.co.jp> wrote:
> At Mon, 19 Feb 2007 11:59:17 +0100,
> Simon Vallet <svallet at genoscope.cns.fr> wrote:
> >
> > So it seems the resolver does not recognize the RRSIG RR for some
> > reason...
> >
> > Any hint ?
>
> libbind is just a copy of BIND8-based old resolver implementation, so
> it's not surprising that it does not recognize newly defined RR
> type(s). It may not be very hard to add a simple parser for such RRs
> to libbind, but if what you are expecting is to validate the result
> based on the DNSSEC protocol, libbind is clearly not the right tool.
Yes -- I initially thought it was a validating stub-resolver
implementation, but it appears it is not.
Actually, I would have expected BIND to set the AD bit on authoritative
replies -- this would have solved the problem simply (although
admittedly not very elegantly).
We'll probably give a try at other resolver implementations.
Simon
More information about the bind-users
mailing list