Intended usage of dnssec-must-be-secure?

Mark Andrews marka at isc.org
Wed Feb 3 08:36:50 UTC 2016 

In message <34d77fc23ee95386a0417bb83191447e at nerdli.ch>, Thomas Sturm writes:
> Dear all,
> 
> According to the documentation of the option 'dnssec-must-be-secure', 
> which reads like
> 
>      "Specify hierarchies which must be or may not be secure (signed
>       and validated). If yes, then named will only accept answers if
>      they are secure. If no, then normal DNSSEC validation applies
>      allowing for insecure answers to be accepted. The specified domain
>      must be under a trusted-keys or managed-keys statement, or dnssec-
>      lookaside must be active."
> 
> I understand that I should be able to resolve dnssec-failed.org 
> successfully with a config like:
> 
>      managed-keys {
>          . initial-key 257 3 8 [current root key];
>      };
> 
>      options {
>          dnssec-enable yes;
>          dnssec-validation yes;
>          dnssec-must-be-secure dnssec-failed.org no;
>      };

No.  Insecure != invalid.  Insecure zones don't have a DNSSEC chain
of trust to a configured trust anchor.

> I have a managed-keys statement and dnssec-validation is set to "yes", 
> and not "auto" (which might be a problem as I read elsewhere). However, 
> this doesn't work.
> 
>      02-Feb-2016 17:29:47.036 broken trust chain resolving 
> 'dnssec-failed.org/A/IN': 69.252.250.103#53
> 
> Am I doing something wrong, or is this not the actual intended usage of 
> this option?

The intended use is to catch policy errors where a zone is made
insecure but should not have been.

> Of course, my use case is not resolving broken DNSSEC zones, but 
> resolving forwarded local zones (non-existing TLD), however, above 
> example should make the question more obvious.
> 
> Thanks for any input.
> 
> Cheers,
> Thomas
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list