Forcing DNSSEC queries

Carsten Strotmann cas at
Fri Nov 16 09:01:51 UTC 2012

Hello Russell,

russell aspinwall <raspinwall at> writes:
> Could libresolv be modified so that  it would permit the following
> directives in /etc/resolv.conf.
> dnssec enable               -  perform only DNSSEC queries (default
> mode of operation if no directive supplied)
> dnssec disable              -   disable DNSSEC queries
> dnssec warn                  -   warn about DNSSEC queries which are
> not authenticated
> dnssec ignore               -    ignore DNSSEC queries which are not
> authenticated
> dnssec trust <zone> | <zone1> .... <zoneN>    - trust non DNSSEC
> signed  (non public) internal zones only

the OS stub resolver (libc) does not perform DNSSEC validation. Without
DNSSEC validation, it does not make much sense to send DNSSEC (DO flag)
queries. You could install BIND as a DNSSEC validating resolver on your
clients, then you have a DNSSEC validation on the client.

If you enable DNSSEC validation on the local smart resolver (the BIND
caching DNS in your network), this DNSSEC validation enabled smart
resolver will query for DNSSEC information and will validate the DNSSEC
information if there is a "chain of trust" towards a trust
anchor. Should the DNSSEC validation fails, all clients will be
protected, because the caching smart resolver will return only
"SERVFAIL" to the clients, but not the (possibly spoofed) DNS data.

I have seen special patched Linux resolver code that implements DNSSEC
validation in the OS smart resolver, but I'm not sure if someone has
ported that to OpenIndiana/Solaris.

See also <>
for a similar discussion.

This project might implement what you are looking for (I haven't tested
it) <>

The only OS to my knowledge that can be configured to ignore non
authenticated replies (AD flag missing) from a local smart resolver is
Windows 7/8. That requires an IPSec tunnel to be build between the
client and the smart resolver (done automatically in Ad environments
with this configuration) to create a trusted path between the client and
the smart resolver. Also the clients are provisioned (via GPO) with a
list of DNSSEC signed domains that must always validate.

-- Carsten

More information about the bind-users mailing list