behavior of dnssec-enable in relation to dnssec-validation

/dev/rob0 rob0 at
Fri Mar 27 18:50:52 UTC 2015

On Tue, Mar 24, 2015 at 10:50:42PM -0400, btb at wrote:
> in the arm, it says "dnssec-enable: Enable DNSSEC support in named. 
> Unless set to yes, named behaves as if it does not support 
> DNSSEC.".  "behaves as if it does not support DNSSEC" seemed quite 
> unequivocal to me, so i interpreted this to mean that if 
> dnssec-enable no; is set, no dnssec operations/behavior of any kind 
> would be seen, period, regardless of what other settings might be 
> set.  however, it seems that if dnssec-validation auto; is set [i 
> didn't try dnssec-validation yes;], bind does perform dnssec 
> related operations even though dnssec-enable no; is set [from 
> looking briefly at logs with rndc trace 1, i see what appear to be 
> attempts at validation - retrieving ds records, dnskey records, 
> etc].

I tested this with a query of, and indeed, 
validation is done and (of course) fails.  named-checkconf -p shows:

        dnssec-enable no;
        dnssec-lookaside auto;
        dnssec-validation auto;

> am i misinterpreting the documentation?

Reading on through:


    Enable DNSSEC validation in named. Note dnssec-enable also
    needs to be set to yes to be effective. ...

This does not seem to be the case.  I think bug, whether it's the 
documentation or the behavior.

> misinterpreting the apparent behavior?  something else?

  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

More information about the bind-users mailing list