Intended usage of dnssec-must-be-secure?
Thomas Sturm
lists+bind-users at nerdli.ch
Wed Feb 3 07:37:27 UTC 2016
Dear all,
According to the documentation of the option 'dnssec-must-be-secure',
which reads like
"Specify hierarchies which must be or may not be secure (signed
and validated). If yes, then named will only accept answers if
they are secure. If no, then normal DNSSEC validation applies
allowing for insecure answers to be accepted. The specified domain
must be under a trusted-keys or managed-keys statement, or dnssec-
lookaside must be active."
I understand that I should be able to resolve dnssec-failed.org
successfully with a config like:
managed-keys {
. initial-key 257 3 8 [current root key];
};
options {
dnssec-enable yes;
dnssec-validation yes;
dnssec-must-be-secure dnssec-failed.org no;
};
I have a managed-keys statement and dnssec-validation is set to "yes",
and not "auto" (which might be a problem as I read elsewhere). However,
this doesn't work.
02-Feb-2016 17:29:47.036 broken trust chain resolving
'dnssec-failed.org/A/IN': 69.252.250.103#53
Am I doing something wrong, or is this not the actual intended usage of
this option?
Of course, my use case is not resolving broken DNSSEC zones, but
resolving forwarded local zones (non-existing TLD), however, above
example should make the question more obvious.
Thanks for any input.
Cheers,
Thomas
More information about the bind-users
mailing list