Intended usage of dnssec-must-be-secure?

Thomas Sturm lists+bind-users at
Wed Feb 3 07:37:27 UTC 2016

Dear all,

According to the documentation of the option 'dnssec-must-be-secure', 
which reads like

     "Specify hierarchies which must be or may not be secure (signed
      and validated). If yes, then named will only accept answers if
     they are secure. If no, then normal DNSSEC validation applies
     allowing for insecure answers to be accepted. The specified domain
     must be under a trusted-keys or managed-keys statement, or dnssec-
     lookaside must be active."

I understand that I should be able to resolve 
successfully with a config like:

     managed-keys {
         . initial-key 257 3 8 [current root key];

     options {
         dnssec-enable yes;
         dnssec-validation yes;
         dnssec-must-be-secure no;

I have a managed-keys statement and dnssec-validation is set to "yes", 
and not "auto" (which might be a problem as I read elsewhere). However, 
this doesn't work.

     02-Feb-2016 17:29:47.036 broken trust chain resolving 

Am I doing something wrong, or is this not the actual intended usage of 
this option?

Of course, my use case is not resolving broken DNSSEC zones, but 
resolving forwarded local zones (non-existing TLD), however, above 
example should make the question more obvious.

Thanks for any input.


More information about the bind-users mailing list