behavior of dnssec-enable in relation to dnssec-validation

btb at btb at
Wed Mar 25 02:50:42 UTC 2015


in the arm, it says "dnssec-enable: Enable DNSSEC support in named. Unless set to yes, named behaves as if it does not support DNSSEC.".  "behaves as if it does not support DNSSEC" seemed quite unequivocal to me, so i interpreted this to mean that if dnssec-enable no; is set, no dnssec operations/behavior of any kind would be seen, period, regardless of what other settings might be set.  however, it seems that if dnssec-validation auto; is set [i didn't try dnssec-validation yes;], bind does perform dnssec related operations even though dnssec-enable no; is set [from looking briefly at logs with rndc trace 1, i see what appear to be attempts at validation - retrieving ds records, dnskey records, etc].

am i misinterpreting the documentation?  misinterpreting the apparent behavior?  something else?


More information about the bind-users mailing list