Different DNSSEC behaviour between two old versions

raf bind at raf.org
Fri Aug 6 02:21:48 UTC 2021

Hi again,

Never mind. It wasn't the difference between versions.
It was that the 9.10.3 server was forwarding all queries
to my ISP's DNS servers which are not functioning well.
They can't even resolve ietf.org at the moment.
When forwarding to instead, it behaves the same
as the 9.11.5 server that's doing its own resolving.
Apologies for the noise.


On Fri, Aug 06, 2021 at 11:56:06AM +1000, raf <bind at raf.org> wrote:

> Hi,
> Firstly, I'd like to thank everyone involved with making bind.
> I'm used to using old versions (9.10.3 on an old ubuntu host)
> and (9.11.5 on debian-10 stable). And just as I'm about to start
> using DNSSEC for my domains, debian-11 stable is about to come
> out in a few days with bind-9.16.15 which will make DNSSEC so
> much easier than I was expecting. Thanks again.
> Now to my question. I've seen an odd difference in behaviour
> between 9.10.3 and 9.11.5 relating to DNSSEC, and I was wondering
> if anyone knows the reason.
> With both servers configured with "dnssec-validation auto",
> 9.10.3 won't resolve tools.ietf.org or datatracker.ietf.org,
> but 9.11.5 will resolve them. 9.10.3 will only resolve them
> without "dnssec-validation auto". Below is some dig output.
> Any thoughts?
> cheers,
> raf

More information about the bind-users mailing list