behavior of dnssec-enable in relation to dnssec-validation

classic Classic list List threaded Threaded
2 messages Options
btb
Reply | Threaded
Open this post in threaded view
|

behavior of dnssec-enable in relation to dnssec-validation

btb
hi-

in the arm, it says "dnssec-enable: Enable DNSSEC support in named. Unless set to yes, named behaves as if it does not support DNSSEC.".  "behaves as if it does not support DNSSEC" seemed quite unequivocal to me, so i interpreted this to mean that if dnssec-enable no; is set, no dnssec operations/behavior of any kind would be seen, period, regardless of what other settings might be set.  however, it seems that if dnssec-validation auto; is set [i didn't try dnssec-validation yes;], bind does perform dnssec related operations even though dnssec-enable no; is set [from looking briefly at logs with rndc trace 1, i see what appear to be attempts at validation - retrieving ds records, dnskey records, etc].

am i misinterpreting the documentation?  misinterpreting the apparent behavior?  something else?

thanks
-ben
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: behavior of dnssec-enable in relation to dnssec-validation

/dev/rob0
On Tue, Mar 24, 2015 at 10:50:42PM -0400, [hidden email] wrote:

> in the arm, it says "dnssec-enable: Enable DNSSEC support in named.
> Unless set to yes, named behaves as if it does not support
> DNSSEC.".  "behaves as if it does not support DNSSEC" seemed quite
> unequivocal to me, so i interpreted this to mean that if
> dnssec-enable no; is set, no dnssec operations/behavior of any kind
> would be seen, period, regardless of what other settings might be
> set.  however, it seems that if dnssec-validation auto; is set [i
> didn't try dnssec-validation yes;], bind does perform dnssec
> related operations even though dnssec-enable no; is set [from
> looking briefly at logs with rndc trace 1, i see what appear to be
> attempts at validation - retrieving ds records, dnskey records,
> etc].

I tested this with a query of dnssec-failed.org/IN/SOA, and indeed,
validation is done and (of course) fails.  named-checkconf -p shows:

        dnssec-enable no;
        dnssec-lookaside auto;
        dnssec-validation auto;

> am i misinterpreting the documentation?

Reading on through:

"
dnssec-validation

    Enable DNSSEC validation in named. Note dnssec-enable also
    needs to be set to yes to be effective. ...
"

This does not seem to be the case.  I think bug, whether it's the
documentation or the behavior.

> misinterpreting the apparent behavior?  something else?

--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users