DNSEC and Bin 9.12
Mark Andrews
marka at isc.org
Mon Jan 21 20:49:03 UTC 2019
> On 22 Jan 2019, at 6:32 am, @lbutlr <kremels at kreme.com> wrote:
>
> A couple of questions
>
> First, guides on setting up DNSSEC say to add dnssec-lookaside auto; in the options, but bind repots an error:
>
> /usr/local/etc/namedb/named.conf:35: dnssec-lookaside 'auto' is no longer supported
>
> Does this mean the entire declaration is not supported, or that auto should be changed to something else?
The DLV registry “dlv.isc.org” has been shutdown. It is now a empty zone answer which answers with NXDOMAIN
for anyone that still has a dnssec-lookaside clause that pointed to in named.conf or the equivalent in other
name servers. "dnssec-lookaside auto;” and “dnssec-lookaside . dlv.isc.org;” are both rejected by modern
versions of BIND.
> Second, I’ve seen recommendations for "dnssec-validation auto;” and " dnssec-validation yes;”but no clear explanation on which should be used.
Use 'dnssec-validation auto;’ if you are on the Internet. Use ‘dnssec-validation yes;’ if you
are on a disconnected network.
> Third, what does “not at top of zone” mean in dnssec-verify?
Some record that should have been at the zone’s apex (name) wasn’t. Either you passed the wrong
zone name to dnssec-verify or you have put records in the wrong place in the zone.
e.g.
DNSKEY, SOA and NSEC3PARAM records should only be at the top of a zone.
NS records exist at top and they define the bottom of a zone.
DS records should only exist at the NS records that define bottom of zone and
never at the zone’s apex nor in the middle of a zone.
> --
> Heisenberg's only uncertainty was what pub to vomit in next and Jung
> fancied Freud's mother too. -- Jared Earle
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list