Behaviour change of dig +dnssec between 9.11 and 9.16

Josef Moellers jmoellers at suse.de
Tue Jun 29 14:06:14 UTC 2021 

Hello Peter,

On 29.06.21 15:51, Peter Davies wrote:
> 
> Hi Josef,
>    The default setting for dnssec-validate is "yes" in Bind 9.11.x
> The default setting for dnssec-validate is "auto" in Bind 9.16.x
> 
> Note that the setting dnssec-validation yes; is ineffectual unless the
> server has access to trust anchors from which to establish a
> DNSSEC-validated chain of trust.
> 
> 
> read more at: https://kb.isc.org/docs/aa-01547

Thanks for the pointer. I'll relay this to the colleague. It'll take
some time to change everything and install 9.16.

Josef

> ------------------------------------------------------------------------
> *From:* bind-workers <bind-workers-bounces at lists.isc.org> on behalf of
> Josef Moellers <jmoellers at suse.de>
> *Sent:* 29 June 2021 14:45
> *To:* bind-workers at lists.isc.org <bind-workers at lists.isc.org>
> *Subject:* Behaviour change of dig +dnssec between 9.11 and 9.16
>  
> Hi,
> 
> A colleague has recently upgraded from 9.11.2 to 9.16.6 and has observed
> that with a named that supports DNSSEC
> 
> on 9.11.2:
> dig +dnssec @<server>
> did not return any RRSIG (it did on occasion but not consistently).
> 
> on 9.16.6:
> dig +dnssec @<server>
> now consistently returns the RRSIG every time but
> dig +dnssec @<server> org NS
> does not return any RRSIG, although the "org" name servers (eg
> a0.org.afilias-nst.info) do support it.
> 
> For the last 1½ weeks, I've been trying to dig (pun intended) through
> the bind 9.16.18 source code to find how the RRSIG makes its way to the
> user's screen but have failed so far.
> Can someone either tell my why the behaviour is as described above, ie
> why dig without any name and type returns an RRSIG and when being asked
> for the NS record of "org" does not send the signature along.
> 
> Thanks, and stay healty!
> 
> Josef
> -- 
> SUSE Software Solutions Germany GmbH
> Maxfeldstr. 5
> 90409 Nürnberg
> Germany
> 
> (HRB 36809, AG Nürnberg)
> Geschäftsführer: Felix Imendörffer
> _______________________________________________
> bind-workers mailing list
> bind-workers at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-workers
> <https://lists.isc.org/mailman/listinfo/bind-workers>


-- 
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5
90409 Nürnberg
Germany

(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer

More information about the bind-workers mailing list