On 26. 09. 22 9:15, [email protected] wrote:
Please allow me to correct this:
named.conf statement 'dnssec-enabled yes;' allows forwarding DNSSEC
signatures (and other metadata) without validating them.
Slight problem here: My 9.18.5 named doesn't know about dnssec-enabled:
Sep 26 09:00:51 xxx named[38797]: /usr/local/etc/namedb/named.conf:18: unknown
option 'dnssec-enabled'
A bit of searching makes it look like dnssec-enable is what we want,
but:
Sep 26 09:08:21 xxx named[38797]: /usr/local/etc/namedb/named.conf:18: option
'dnssec-enable' no longer exists
What am I missing here?
Oh, I'm sorry.
I forgot this option was removed and DNSSEC metadata are _always_ passed
around in modern versions of BIND.
It is that way since 9.16.0, and the option was completely removed in
9.17.0.
I think that underlines the point that filtering DNSSEC metadata is a
bad idea :-)
--
Petr Špaček
Internet Systems Consortium
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
