OpenDNS today announced it has adopted DNSCurve to secure DNS

Alan Clegg aclegg at isc.org
Thu Feb 25 17:45:10 UTC 2010


Joe Baptista wrote:

>         dnssec-enable no;
>         dnssec-validation no;
> 
> OK - so if I do the above - will that prevent my recursive server from
> doing DNSSEC if it gets information from a DNSSEC signed zone?

What do you mean "doing DNSSEC"?

Your recursive server is not going to attempt DNSSEC validation if it is
either "dnssec-validation/dnsssec-enable no" or has no trust anchors.

With no trust anchors, there is nothing for it to base the validation
on, thus no AD flag.

Your server won't set the DO bit on outbound requests, so it won't get
back RRSIGs for signed data (even if the authoritative server has them
available).

If asked for RRSIGs directly, it will provide them because, like any
other RR, they exist on the authoritative server.

AlanC

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100225/73e5e783/attachment.bin>


More information about the bind-users mailing list