[arch-general] BIND, systemd-resolved, and nscd

Pallissard, Matthew matt at pallissard.net
Wed Sep 19 16:31:13 UTC 2018 

On 2018-09-13T12:31:28, frederik at ofb.net wrote:
> On Thu, Sep 13, 2018 at 06:49:45AM -0700, Pallissard, Matthew wrote:
> > > I had to add "dnssec-validation yes;" to /etc/named.conf. I have a
> > 
> > Are you sure you didn't want these values?
> > 
> > dnssec-enable no;
> > dnssec-validation no;
> 
> Well, prior to the recent BIND releease, the default had been "yes" -
> which means "no" for me. I just wanted to make it behave the same way
> as it had before. I don't know if there's a difference between that
> and the options you suggested:
> 
> ftp://ftp.isc.org/isc/bind9/cur/9.10/doc/arm/Bv9ARM.ch06.html#Configuration_File_Grammar
> 
>     If set to auto, DNSSEC validation is enabled, and a default trust
>     anchor for the DNS root zone is used. If set to yes, DNSSEC
>     validation is enabled, but a trust anchor must be manually
>     configured using a trusted-keys or managed-keys statement. The
>     default is yes.
> 
> Here's my SU question BTW:
> 
> https://superuser.com/questions/1349213/how-to-debug-local-named-with-broken-dnssec
> 
> Matthew, do you know more about this stuff or were you just as
> confused as I was by the "yes means no" syntax? I didn't necessarily
> want to get into that in this thread, although it could potentially be
> something for us to complain to the BIND maintainers about. (viz.,
> people thinking they had enabled dnssec-validation when in fact they
> hadn't)
> 
> Frederick

A few things.

1. Google's public DNS servers are DNSSEC validating forwarders, your router evidently is not.
2. I'm not sure what you mean by the yes-means-no syntax.  The URL that you provided seems pretty cut and dry.
  > dnssec-enable yes; # returns dnssec resource records
  > dnssec-enable nol # does not, validation cannot be performed
  > dnssec-validation no; #does not validate
  > dnssec-validation yes; #does validate (requires a trusted-keys or managed-keys statement, which you DO NOT have in your example)
  > dnssec-validation autol #does validate (uses trusted/manged-keys blocks or the trust anchor compiled into named)


TL;DR If you want to 'make it behave the same way as it had before',  it sounds like you need to disable DNSSEC validation.
  If you want to make it honour DNSSEC set dnssec-validation to 'auto' or 'yes' with the related keys statement.


Matt Pallissard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20180919/27cdf45a/attachment.asc>

More information about the arch-general mailing list