Forcing DNSSEC queries

russell aspinwall raspinwall at willows7.myzen.co.uk
Thu Nov 15 22:30:20 UTC 2012


Hi,

I have using Bind for a while and last night upgraded to Bind 9.9.2 on 
my OpenIndiana 151a7. I would like to be able to control my DNS queries 
on Unix/Linux hosts, so that by default  the client queries would only 
be DNSSEC authenticated/validated. However, as DNSSEC is not completely 
deployed I would need to have some control over the DNSSEC query 
operation. From my research the libresolv library used is taken from a 
library created by ISC.

Could libresolv be modified so that  it would permit the following 
directives in /etc/resolv.conf.

dnssec enable               -  perform only DNSSEC queries (default mode 
of operation if no directive supplied)

dnssec disable              -   disable DNSSEC queries

dnssec warn                  -   warn about DNSSEC queries which are not 
authenticated

dnssec ignore               -    ignore DNSSEC queries which are not 
authenticated

dnssec trust <zone> | <zone1> .... <zoneN>    - trust non DNSSEC signed  
(non public) internal zones only



-- 
Russell Aspinwall           russell.aspinwall at bcs.org.uk

"Great minds discuss ideas;
Average minds discuss events;
Small minds discuss people
     Former First Lady Eleanor Roosevelt (1884-1962)"




More information about the bind-users mailing list