Behaviour change of dig +dnssec between 9.11 and 9.16
jmoellers at suse.de
Wed Jun 30 06:23:43 UTC 2021
On 29.06.21 20:51, Peter Outloook wrote:
> Hi Josef,
> I appear to have mis-read your question. My reply was in regard to the
> BIND DNS server, your question was in relation to the behaviour of the
> " dig" tool.
No problem. I'm not sure who the culprit is in this case. I do have the
feeling that it IS the DNS server who doesn't send the RRSIG but I
really don't know.
> Sorry about that. It looks like Tony has given you a detailed reply.
You're welcome. I need to diget it all first ;-)
Thanks again for taking the time anyway. Stay safe and healthy
> On 29/06/2021 16:06, Josef Moellers wrote:
>> Hello Peter,
>> On 29.06.21 15:51, Peter Davies wrote:
>>> Hi Josef,
>>> The default setting for dnssec-validate is "yes" in Bind 9.11.x
>>> The default setting for dnssec-validate is "auto" in Bind 9.16.x
>>> Note that the setting dnssec-validation yes; is ineffectual unless the
>>> server has access to trust anchors from which to establish a
>>> DNSSEC-validated chain of trust.
>>> read more at: https://kb.isc.org/docs/aa-01547
>> Thanks for the pointer. I'll relay this to the colleague. It'll take
>> some time to change everything and install 9.16.
>>> *From:* bind-workers <bind-workers-bounces at lists.isc.org> on behalf of
>>> Josef Moellers <jmoellers at suse.de>
>>> *Sent:* 29 June 2021 14:45
>>> *To:* bind-workers at lists.isc.org <bind-workers at lists.isc.org>
>>> *Subject:* Behaviour change of dig +dnssec between 9.11 and 9.16
>>> A colleague has recently upgraded from 9.11.2 to 9.16.6 and has observed
>>> that with a named that supports DNSSEC
>>> on 9.11.2:
>>> dig +dnssec @<server>
>>> did not return any RRSIG (it did on occasion but not consistently).
>>> on 9.16.6:
>>> dig +dnssec @<server>
>>> now consistently returns the RRSIG every time but
>>> dig +dnssec @<server> org NS
>>> does not return any RRSIG, although the "org" name servers (eg
>>> a0.org.afilias-nst.info) do support it.
>>> For the last 1½ weeks, I've been trying to dig (pun intended) through
>>> the bind 9.16.18 source code to find how the RRSIG makes its way to the
>>> user's screen but have failed so far.
>>> Can someone either tell my why the behaviour is as described above, ie
>>> why dig without any name and type returns an RRSIG and when being asked
>>> for the NS record of "org" does not send the signature along.
>>> Thanks, and stay healty!
>>> SUSE Software Solutions Germany GmbH
>>> Maxfeldstr. 5
>>> 90409 Nürnberg
>>> (HRB 36809, AG Nürnberg)
>>> Geschäftsführer: Felix Imendörffer
>>> bind-workers mailing list
>>> bind-workers at lists.isc.org
> bind-workers mailing list
> bind-workers at lists.isc.org
SUSE Software Solutions Germany GmbH
(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer
More information about the bind-workers