All client resolvers support DNSSEC compatible queries ???

Tony Finch dot at
Thu Apr 24 11:19:00 UTC 2014

Carsten Strotmann <cas at> wrote:
> You can enable DNSSEC validation support on a BIND 9 caching server that
> is used as a resolver by your clients. BIND 9 9.9.x already comes with
> DNSSEC validation enabled, for older versions you need to enable it
> manually in the configuration.

DNSSEC validation needs to be explicitly enabled in every version of BIND.
Since version 9.8 BIND ships with a built-in root trust anchor, so to
enable validation you can just add "dnssec-validation auto;" (and
"dnssec-lookaside auto;" if you like).

The dnssec-enable option defaults to yes (since version 9.5), but this
just makes BIND DNSSEC-aware (so it supports the special semantics of
DNSSEC RR types) but does not make it validate.

The rest of what you said is correct.

f.anthony.n.finch  <dot at>
Fair Isle, Faeroes, South-east Iceland: Mainly southeasterly 5 or 6,
decreasing 4 at times. Moderate or rough. Occasional rain, fog patches.
Moderate or good, occasionally very poor.

More information about the bind-users mailing list