BIND 9.14.8

Havard Eidnes he at
Mon Dec 9 09:58:07 UTC 2019

> BIND 9.14.8 (Stable Release)
> When I start the server, I get such a prompt. Are there any parameters I
> [can] turn off? After all, not all servers implement DNSSEC
> 09-Dec-2019 16:17:46.497 dnssec: warning: managed-keys-zone: Unable to
> fetch DNSKEY set '.': timed out

This appears to be an indication that your recursive server is unable
to speak direcly with the root name servers, I would think?  You could
probably debug that with "dig"; you could try

  dig @<root-name-server> . dnskey

While it is most certainly true that not all publishing name servers
implement DNSSEC, that is not a necessary requirement for enabling
DNSSEC processing in your recursive name server.  BIND will figure out
by itself if lookups in the target zone should be DNSSEC-validated
(signaled by the presence of a signed DS record for the zone in the
parent zone), and will only do DNSSEC validation if that is the case,
allowing incremental deployment.


- Håvard

More information about the bind-users mailing list