> BIND 9.14.8 (Stable Release) > When I start the server, I get such a prompt. Are there any parameters I > [can] turn off? After all, not all servers implement DNSSEC > > 09-Dec-2019 16:17:46.497 dnssec: warning: managed-keys-zone: Unable to > fetch DNSKEY set '.': timed out
This appears to be an indication that your recursive server is unable to speak direcly with the root name servers, I would think? You could probably debug that with "dig"; you could try dig @<root-name-server> . dnskey While it is most certainly true that not all publishing name servers implement DNSSEC, that is not a necessary requirement for enabling DNSSEC processing in your recursive name server. BIND will figure out by itself if lookups in the target zone should be DNSSEC-validated (signaled by the presence of a signed DS record for the zone in the parent zone), and will only do DNSSEC validation if that is the case, allowing incremental deployment. Regards, - HÃ¥vard _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
