[arch-general] BIND, systemd-resolved, and nscd
frederik at ofb.net
frederik at ofb.net
Thu Sep 13 19:31:28 UTC 2018
On Thu, Sep 13, 2018 at 06:49:45AM -0700, Pallissard, Matthew wrote:
> > I had to add "dnssec-validation yes;" to /etc/named.conf. I have a
>
> Are you sure you didn't want these values?
>
> dnssec-enable no;
> dnssec-validation no;
Well, prior to the recent BIND releease, the default had been "yes" -
which means "no" for me. I just wanted to make it behave the same way
as it had before. I don't know if there's a difference between that
and the options you suggested:
ftp://ftp.isc.org/isc/bind9/cur/9.10/doc/arm/Bv9ARM.ch06.html#Configuration_File_Grammar
If set to auto, DNSSEC validation is enabled, and a default trust
anchor for the DNS root zone is used. If set to yes, DNSSEC
validation is enabled, but a trust anchor must be manually
configured using a trusted-keys or managed-keys statement. The
default is yes.
Here's my SU question BTW:
https://superuser.com/questions/1349213/how-to-debug-local-named-with-broken-dnssec
Matthew, do you know more about this stuff or were you just as
confused as I was by the "yes means no" syntax? I didn't necessarily
want to get into that in this thread, although it could potentially be
something for us to complain to the BIND maintainers about. (viz.,
people thinking they had enabled dnssec-validation when in fact they
hadn't)
Frederick
More information about the arch-general
mailing list