Bjørn Mork skrev den 2022-09-26 08:50:
Petr Špaček <pspa...@isc.org> writes:
named.conf statement 'dnssec-enabled yes;' allows forwarding DNSSEC
signatures (and other metadata) without validating them.
named.conf statement 'dnssec-validation auto;' then enables DNSSEC
validation itself.
In other words, it is possible to allow DNSSEC to work for forwarders
without doing validation itself. If the ISP in question resists
enabling DNSSEC then at least 'dnssec-enabled yes; dnssec-validation
no;' configuration would improve situation for people who care.
Thanks. Did not know this. Sorry for the disinformation.
imho dnssec-validation auto; have a bug as it validates domains without
DS set
hope bind developpers can confirm or deny it
dnssec-enabled yes; is depricated in gentoo latest stable version
9.16.30
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
