Forcing DNSSEC queries

russell aspinwall raspinwall at
Thu Nov 15 22:30:20 UTC 2012


I have using Bind for a while and last night upgraded to Bind 9.9.2 on 
my OpenIndiana 151a7. I would like to be able to control my DNS queries 
on Unix/Linux hosts, so that by default  the client queries would only 
be DNSSEC authenticated/validated. However, as DNSSEC is not completely 
deployed I would need to have some control over the DNSSEC query 
operation. From my research the libresolv library used is taken from a 
library created by ISC.

Could libresolv be modified so that  it would permit the following 
directives in /etc/resolv.conf.

dnssec enable               -  perform only DNSSEC queries (default mode 
of operation if no directive supplied)

dnssec disable              -   disable DNSSEC queries

dnssec warn                  -   warn about DNSSEC queries which are not 

dnssec ignore               -    ignore DNSSEC queries which are not 

dnssec trust <zone> | <zone1> .... <zoneN>    - trust non DNSSEC signed  
(non public) internal zones only

Russell Aspinwall           russell.aspinwall at

"Great minds discuss ideas;
Average minds discuss events;
Small minds discuss people
     Former First Lady Eleanor Roosevelt (1884-1962)"

More information about the bind-users mailing list