DNSEC and Bin 9.12

Mark Andrews marka at isc.org
Mon Jan 21 20:49:03 UTC 2019


> On 22 Jan 2019, at 6:32 am, @lbutlr <kremels at kreme.com> wrote:
> 
> A couple of questions
> 
> First, guides on setting up DNSSEC say to add  dnssec-lookaside auto; in the options, but bind repots an error:
> 
> /usr/local/etc/namedb/named.conf:35: dnssec-lookaside 'auto' is no longer supported
> 
> Does this mean the entire declaration is not supported, or that auto should be changed to something else?

The DLV registry “dlv.isc.org” has been shutdown. It is now a empty zone answer which answers with NXDOMAIN
for anyone that still has a dnssec-lookaside clause that pointed to in named.conf or the equivalent in other
name servers.  "dnssec-lookaside auto;” and “dnssec-lookaside . dlv.isc.org;” are both rejected by modern
versions of BIND.

> Second, I’ve seen recommendations for "dnssec-validation auto;” and " dnssec-validation yes;”but no clear explanation on which should be used.

Use 'dnssec-validation auto;’ if you are on the Internet.  Use ‘dnssec-validation yes;’ if you
are on a disconnected network.

> Third, what does “not at top of zone” mean in dnssec-verify?

Some record that should have been at the zone’s apex (name) wasn’t.  Either you passed the wrong
zone name to dnssec-verify or you have put records in the wrong place in the zone.

e.g.

DNSKEY, SOA and NSEC3PARAM records should only be at the top of a zone.
NS records exist at top and they define the bottom of a zone.
DS records should only exist at the NS records that define bottom of zone and
never at the zone’s apex nor in the middle of a zone.

> -- 
> Heisenberg's only uncertainty was what pub to vomit in next and Jung
> fancied Freud's mother too. -- Jared Earle
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org



More information about the bind-users mailing list