DNSSEC support in libbind

Paul Vixie Paul_Vixie at isc.org
Mon Mar 5 14:46:26 UTC 2007

Simon Vallet <svallet at genoscope.cns.fr> writes:

> > > So it seems the resolver does not recognize the RRSIG RR for some
> > > reason...
> > > 
> > > Any hint ?
> > 
> > libbind is just a copy of BIND8-based old resolver implementation, so
> > it's not surprising that it does not recognize newly defined RR
> > type(s).  It may not be very hard to add a simple parser for such RRs
> > to libbind, but if what you are expecting is to validate the result
> > based on the DNSSEC protocol, libbind is clearly not the right tool.
> Yes --  I initially thought it was a validating stub-resolver
> implementation, but it appears it is not.

see above where it says "BIND8" and "old".

> Actually, I would have expected BIND to set the AD bit on authoritative
> replies -- this would have solved the problem simply (although
> admittedly not very elegantly).

you have to enable dnssec in your server to get that behaviour.

> We'll probably give a try at other resolver implementations.

be sure to try the BIND9 resolver.
Paul Vixie

More information about the bind-users mailing list