Intended usage of dnssec-must-be-secure?
Mark Andrews
marka at isc.org
Wed Feb 3 08:36:50 UTC 2016
In message <34d77fc23ee95386a0417bb83191447e at nerdli.ch>, Thomas Sturm writes:
> Dear all,
>
> According to the documentation of the option 'dnssec-must-be-secure',
> which reads like
>
> "Specify hierarchies which must be or may not be secure (signed
> and validated). If yes, then named will only accept answers if
> they are secure. If no, then normal DNSSEC validation applies
> allowing for insecure answers to be accepted. The specified domain
> must be under a trusted-keys or managed-keys statement, or dnssec-
> lookaside must be active."
>
> I understand that I should be able to resolve dnssec-failed.org
> successfully with a config like:
>
> managed-keys {
> . initial-key 257 3 8 [current root key];
> };
>
> options {
> dnssec-enable yes;
> dnssec-validation yes;
> dnssec-must-be-secure dnssec-failed.org no;
> };
No. Insecure != invalid. Insecure zones don't have a DNSSEC chain
of trust to a configured trust anchor.
> I have a managed-keys statement and dnssec-validation is set to "yes",
> and not "auto" (which might be a problem as I read elsewhere). However,
> this doesn't work.
>
> 02-Feb-2016 17:29:47.036 broken trust chain resolving
> 'dnssec-failed.org/A/IN': 69.252.250.103#53
>
> Am I doing something wrong, or is this not the actual intended usage of
> this option?
The intended use is to catch policy errors where a zone is made
insecure but should not have been.
> Of course, my use case is not resolving broken DNSSEC zones, but
> resolving forwarded local zones (non-existing TLD), however, above
> example should make the question more obvious.
>
> Thanks for any input.
>
> Cheers,
> Thomas
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list