Carsten Strotmann <c...@strotmann.de> wrote: > > You can enable DNSSEC validation support on a BIND 9 caching server that > is used as a resolver by your clients. BIND 9 9.9.x already comes with > DNSSEC validation enabled, for older versions you need to enable it > manually in the configuration.
DNSSEC validation needs to be explicitly enabled in every version of BIND. Since version 9.8 BIND ships with a built-in root trust anchor, so to enable validation you can just add "dnssec-validation auto;" (and "dnssec-lookaside auto;" if you like). The dnssec-enable option defaults to yes (since version 9.5), but this just makes BIND DNSSEC-aware (so it supports the special semantics of DNSSEC RR types) but does not make it validate. The rest of what you said is correct. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Fair Isle, Faeroes, South-east Iceland: Mainly southeasterly 5 or 6, decreasing 4 at times. Moderate or rough. Occasional rain, fog patches. Moderate or good, occasionally very poor. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
