DNSSEC support in libbind

Simon Vallet svallet at genoscope.cns.fr
Mon Mar 5 14:06:01 UTC 2007


On Mon, 05 Mar 2007 10:50:41 +0900
JINMEI Tatuya / 神明達哉 <jinmei at isl.rdc.toshiba.co.jp> wrote:

> At Mon, 19 Feb 2007 11:59:17 +0100,
> Simon Vallet <svallet at genoscope.cns.fr> wrote:
> >  
> > So it seems the resolver does not recognize the RRSIG RR for some
> > reason...
> > 
> > Any hint ?
> 
> libbind is just a copy of BIND8-based old resolver implementation, so
> it's not surprising that it does not recognize newly defined RR
> type(s).  It may not be very hard to add a simple parser for such RRs
> to libbind, but if what you are expecting is to validate the result
> based on the DNSSEC protocol, libbind is clearly not the right tool.

Yes --  I initially thought it was a validating stub-resolver
implementation, but it appears it is not.

Actually, I would have expected BIND to set the AD bit on authoritative
replies -- this would have solved the problem simply (although
admittedly not very elegantly).

We'll probably give a try at other resolver implementations.

Simon



More information about the bind-users mailing list