Behaviour change of dig +dnssec between 9.11 and 9.16

Peter Outloook peter.watson.davies at outlook.com
Tue Jun 29 18:51:52 UTC 2021


*

Hi Josef,

 I appear to have mis-read your question. My reply was in regard to the
BIND DNS server,  your question was in relation to the behaviour of the
"dig" tool.

Sorry about that.  It looks like Tony has given you a detailed reply.

Kind Regards Peter

*
On 29/06/2021 16:06, Josef Moellers wrote:
> Hello Peter,
>
> On 29.06.21 15:51, Peter Davies wrote:
>> Hi Josef,
>>    The default setting for dnssec-validate is "yes" in Bind 9.11.x
>> The default setting for dnssec-validate is "auto" in Bind 9.16.x
>>
>> Note that the setting dnssec-validation yes; is ineffectual unless the
>> server has access to trust anchors from which to establish a
>> DNSSEC-validated chain of trust.
>>
>>
>> read more at: https://kb.isc.org/docs/aa-01547
> Thanks for the pointer. I'll relay this to the colleague. It'll take
> some time to change everything and install 9.16.
>
> Josef
>
>> ------------------------------------------------------------------------
>> *From:* bind-workers <bind-workers-bounces at lists.isc.org> on behalf of
>> Josef Moellers <jmoellers at suse.de>
>> *Sent:* 29 June 2021 14:45
>> *To:* bind-workers at lists.isc.org <bind-workers at lists.isc.org>
>> *Subject:* Behaviour change of dig +dnssec between 9.11 and 9.16
>>  
>> Hi,
>>
>> A colleague has recently upgraded from 9.11.2 to 9.16.6 and has observed
>> that with a named that supports DNSSEC
>>
>> on 9.11.2:
>> dig +dnssec @<server>
>> did not return any RRSIG (it did on occasion but not consistently).
>>
>> on 9.16.6:
>> dig +dnssec @<server>
>> now consistently returns the RRSIG every time but
>> dig +dnssec @<server> org NS
>> does not return any RRSIG, although the "org" name servers (eg
>> a0.org.afilias-nst.info) do support it.
>>
>> For the last 1½ weeks, I've been trying to dig (pun intended) through
>> the bind 9.16.18 source code to find how the RRSIG makes its way to the
>> user's screen but have failed so far.
>> Can someone either tell my why the behaviour is as described above, ie
>> why dig without any name and type returns an RRSIG and when being asked
>> for the NS record of "org" does not send the signature along.
>>
>> Thanks, and stay healty!
>>
>> Josef
>> -- 
>> SUSE Software Solutions Germany GmbH
>> Maxfeldstr. 5
>> 90409 Nürnberg
>> Germany
>>
>> (HRB 36809, AG Nürnberg)
>> Geschäftsführer: Felix Imendörffer
>> _______________________________________________
>> bind-workers mailing list
>> bind-workers at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-workers
>> <https://lists.isc.org/mailman/listinfo/bind-workers>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-workers/attachments/20210629/aa35b779/attachment.htm>


More information about the bind-workers mailing list