> On 22 Jan 2019, at 6:32 am, @lbutlr <krem...@kreme.com> wrote: > > A couple of questions > > First, guides on setting up DNSSEC say to add dnssec-lookaside auto; in the > options, but bind repots an error: > > /usr/local/etc/namedb/named.conf:35: dnssec-lookaside 'auto' is no longer > supported > > Does this mean the entire declaration is not supported, or that auto should > be changed to something else?
The DLV registry “dlv.isc.org” has been shutdown. It is now a empty zone answer which answers with NXDOMAIN for anyone that still has a dnssec-lookaside clause that pointed to in named.conf or the equivalent in other name servers. "dnssec-lookaside auto;” and “dnssec-lookaside . dlv.isc.org;” are both rejected by modern versions of BIND. > Second, I’ve seen recommendations for "dnssec-validation auto;” and " > dnssec-validation yes;”but no clear explanation on which should be used. Use 'dnssec-validation auto;’ if you are on the Internet. Use ‘dnssec-validation yes;’ if you are on a disconnected network. > Third, what does “not at top of zone” mean in dnssec-verify? Some record that should have been at the zone’s apex (name) wasn’t. Either you passed the wrong zone name to dnssec-verify or you have put records in the wrong place in the zone. e.g. DNSKEY, SOA and NSEC3PARAM records should only be at the top of a zone. NS records exist at top and they define the bottom of a zone. DS records should only exist at the NS records that define bottom of zone and never at the zone’s apex nor in the middle of a zone. > -- > Heisenberg's only uncertainty was what pub to vomit in next and Jung > fancied Freud's mother too. -- Jared Earle > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
