<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body>
    <b style="font-weight:normal;" id="docs-internal-guid-28d61b88-7fff-4db6-51b8-177ea70d2ffd">
      <p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt;"><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Hi Josef,</span></p>
      <p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt;"><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;"> </span><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;"><span class="Apple-tab-span" style="white-space:pre;">     </span></span><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">I appear to have mis-read your question. My reply was in regard  to the BIND DNS server,  your question was in relation to the behaviour of the "
 dig" tool.</span></p>
      <p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt;"><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Sorry about that.  It looks like Tony has given you a detailed reply.</span></p>
      <p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt;"><span style="font-size:11pt;font-family:Arial;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">Kind Regards Peter</span></p>
    </b><br class="Apple-interchange-newline">
    <div class="moz-cite-prefix">On 29/06/2021 16:06, Josef Moellers
      wrote:<br>
    </div>
    <blockquote type="cite" cite="mid:dae1eaed-1f17-c933-b118-41ff6b365dda@suse.de">
      <pre class="moz-quote-pre" wrap="">Hello Peter,

On 29.06.21 15:51, Peter Davies wrote:
</pre>
      <blockquote type="cite">
        <pre class="moz-quote-pre" wrap="">
Hi Josef,
   The default setting for dnssec-validate is "yes" in Bind 9.11.x
The default setting for dnssec-validate is "auto" in Bind 9.16.x

Note that the setting dnssec-validation yes; is ineffectual unless the
server has access to trust anchors from which to establish a
DNSSEC-validated chain of trust.


read more at: <a class="moz-txt-link-freetext" href="https://kb.isc.org/docs/aa-01547">https://kb.isc.org/docs/aa-01547</a>
</pre>
      </blockquote>
      <pre class="moz-quote-pre" wrap="">
Thanks for the pointer. I'll relay this to the colleague. It'll take
some time to change everything and install 9.16.

Josef

</pre>
      <blockquote type="cite">
        <pre class="moz-quote-pre" wrap="">------------------------------------------------------------------------
*From:* bind-workers <a class="moz-txt-link-rfc2396E" href="mailto:bind-workers-bounces@lists.isc.org"><bind-workers-bounces@lists.isc.org></a> on behalf of
Josef Moellers <a class="moz-txt-link-rfc2396E" href="mailto:jmoellers@suse.de"><jmoellers@suse.de></a>
*Sent:* 29 June 2021 14:45
*To:* <a class="moz-txt-link-abbreviated" href="mailto:bind-workers@lists.isc.org">bind-workers@lists.isc.org</a> <a class="moz-txt-link-rfc2396E" href="mailto:bind-workers@lists.isc.org"><bind-workers@lists.isc.org></a>
*Subject:* Behaviour change of dig +dnssec between 9.11 and 9.16
 
Hi,

A colleague has recently upgraded from 9.11.2 to 9.16.6 and has observed
that with a named that supports DNSSEC

on 9.11.2:
dig +dnssec @<server>
did not return any RRSIG (it did on occasion but not consistently).

on 9.16.6:
dig +dnssec @<server>
now consistently returns the RRSIG every time but
dig +dnssec @<server> org NS
does not return any RRSIG, although the "org" name servers (eg
a0.org.afilias-nst.info) do support it.

For the last 1½ weeks, I've been trying to dig (pun intended) through
the bind 9.16.18 source code to find how the RRSIG makes its way to the
user's screen but have failed so far.
Can someone either tell my why the behaviour is as described above, ie
why dig without any name and type returns an RRSIG and when being asked
for the NS record of "org" does not send the signature along.

Thanks, and stay healty!

Josef
-- 
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5
90409 Nürnberg
Germany

(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer
_______________________________________________
bind-workers mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-workers@lists.isc.org">bind-workers@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-workers">https://lists.isc.org/mailman/listinfo/bind-workers</a>
<a class="moz-txt-link-rfc2396E" href="https://lists.isc.org/mailman/listinfo/bind-workers"><https://lists.isc.org/mailman/listinfo/bind-workers></a>
</pre>
      </blockquote>
      <pre class="moz-quote-pre" wrap="">

</pre>
    </blockquote>
  </body>
</html>