Behaviour change of dig +dnssec between 9.11 and 9.16
Josef Moellers
jmoellers at suse.de
Tue Jun 29 14:06:14 UTC 2021
Hello Peter,
On 29.06.21 15:51, Peter Davies wrote:
>
> Hi Josef,
> The default setting for dnssec-validate is "yes" in Bind 9.11.x
> The default setting for dnssec-validate is "auto" in Bind 9.16.x
>
> Note that the setting dnssec-validation yes; is ineffectual unless the
> server has access to trust anchors from which to establish a
> DNSSEC-validated chain of trust.
>
>
> read more at: https://kb.isc.org/docs/aa-01547
Thanks for the pointer. I'll relay this to the colleague. It'll take
some time to change everything and install 9.16.
Josef
> ------------------------------------------------------------------------
> *From:* bind-workers <bind-workers-bounces at lists.isc.org> on behalf of
> Josef Moellers <jmoellers at suse.de>
> *Sent:* 29 June 2021 14:45
> *To:* bind-workers at lists.isc.org <bind-workers at lists.isc.org>
> *Subject:* Behaviour change of dig +dnssec between 9.11 and 9.16
>
> Hi,
>
> A colleague has recently upgraded from 9.11.2 to 9.16.6 and has observed
> that with a named that supports DNSSEC
>
> on 9.11.2:
> dig +dnssec @<server>
> did not return any RRSIG (it did on occasion but not consistently).
>
> on 9.16.6:
> dig +dnssec @<server>
> now consistently returns the RRSIG every time but
> dig +dnssec @<server> org NS
> does not return any RRSIG, although the "org" name servers (eg
> a0.org.afilias-nst.info) do support it.
>
> For the last 1½ weeks, I've been trying to dig (pun intended) through
> the bind 9.16.18 source code to find how the RRSIG makes its way to the
> user's screen but have failed so far.
> Can someone either tell my why the behaviour is as described above, ie
> why dig without any name and type returns an RRSIG and when being asked
> for the NS record of "org" does not send the signature along.
>
> Thanks, and stay healty!
>
> Josef
> --
> SUSE Software Solutions Germany GmbH
> Maxfeldstr. 5
> 90409 Nürnberg
> Germany
>
> (HRB 36809, AG Nürnberg)
> Geschäftsführer: Felix Imendörffer
> _______________________________________________
> bind-workers mailing list
> bind-workers at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-workers
> <https://lists.isc.org/mailman/listinfo/bind-workers>
--
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5
90409 Nürnberg
Germany
(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer
More information about the bind-workers
mailing list