dnssec-validation [ ddig_sigchase option ]

Dennis Clarke dclarke at blastwave.org
Wed Oct 12 19:12:26 UTC 2016

On 10/12/16 15:07, Evan Hunt wrote:
> On Wed, Oct 12, 2016 at 01:56:09PM -0400, Dennis Clarke wrote:
>> On 10/12/16 13:36, Evan Hunt wrote:
>>> I recommend using "delv" instead.  "dig +sigchase" isn't good code.
>> ? well that is news to me  :-\
> It's code that was contributed over ten years ago; we put it into dig
> (hidden behind #ifdef's) because at the time there was no better
> alternative, but we never formally supported it.  It's buggy and
> broken in a number of edge cases and hasn't really kept up with the
> evolution of DNSSEC.
> Please try "delv" and if you find that it doesn't meet your needs,
> let me know so I can try to improve it.
> NLNetLabs's "drill" is also useful.
>>> I expect we'll be removing it in a future release.
>> cool .. so ... any change in our build process here ? A configure change
>> ? Anything ?
> No, delv is built and installed in BIND 9.10 and higher.

Thing of beauty.  Now I understand why there wasn't a configure option 
for sigchase and we needed a define. Makes sense.

Moving upwards to 9.11 anyways.

Thanks for the info.


More information about the bind-users mailing list