OpenDNS today announced it has adopted DNSCurve to secure DNS

Evan Hunt each at isc.org
Thu Feb 25 05:36:15 UTC 2010


> It's going to be interesting to watch. I guess that depends on if DNSSEC is
> turned on by default in BIND. Incidentally - is it?

That depends on what you mean by "turned on".  The DNSSEC protocol is
enabled, and the DO bit is set in queries, so authoritative servers with
signed data will send it.

But the DO bit is merely a flag that says "if you send me DNSSEC signatures
I won't catch fire," it doesn't actually switch on DNSSEC in any meaningful
way.  DNSSEC validation only becomes active when you've configured a trust
anchor, and that is *not* done by default.

(There is a built-in trust anchor for dlv.isc.org included with BIND 9.7,
but you have to turn on a config option for it to be used, and that will
not change.  We would like people to trust us, and we wanted to make it
as easy as possible to do so, but we don't think we'd be worthy of trust
if we made it the default.)

-- 
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.



More information about the bind-users mailing list