Behaviour change of dig +dnssec between 9.11 and 9.16

Peter Davies peter.watson.davies at outlook.com
Tue Jun 29 13:51:29 UTC 2021


Hi Josef,
   The default setting for dnssec-validate is "yes" in Bind 9.11.x
The default setting for dnssec-validate is "auto" in Bind 9.16.x

Note that the setting dnssec-validation yes; is ineffectual unless the server has access to trust anchors from which to establish a DNSSEC-validated chain of trust.


read more at: https://kb.isc.org/docs/aa-01547

Kind Regards Peter
________________________________
From: bind-workers <bind-workers-bounces at lists.isc.org> on behalf of Josef Moellers <jmoellers at suse.de>
Sent: 29 June 2021 14:45
To: bind-workers at lists.isc.org <bind-workers at lists.isc.org>
Subject: Behaviour change of dig +dnssec between 9.11 and 9.16

Hi,

A colleague has recently upgraded from 9.11.2 to 9.16.6 and has observed
that with a named that supports DNSSEC

on 9.11.2:
dig +dnssec @<server>
did not return any RRSIG (it did on occasion but not consistently).

on 9.16.6:
dig +dnssec @<server>
now consistently returns the RRSIG every time but
dig +dnssec @<server> org NS
does not return any RRSIG, although the "org" name servers (eg
a0.org.afilias-nst.info) do support it.

For the last 1½ weeks, I've been trying to dig (pun intended) through
the bind 9.16.18 source code to find how the RRSIG makes its way to the
user's screen but have failed so far.
Can someone either tell my why the behaviour is as described above, ie
why dig without any name and type returns an RRSIG and when being asked
for the NS record of "org" does not send the signature along.

Thanks, and stay healty!

Josef
--
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5
90409 Nürnberg
Germany

(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer
_______________________________________________
bind-workers mailing list
bind-workers at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-workers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-workers/attachments/20210629/fe911108/attachment.htm>


More information about the bind-workers mailing list