> On 27 Sep 2022, at 00:58, Benny Pedersen <m...@junc.eu> wrote: > > Bjørn Mork skrev den 2022-09-26 08:50: >> Petr Špaček <pspa...@isc.org> writes: >>> named.conf statement 'dnssec-enabled yes;' allows forwarding DNSSEC >>> signatures (and other metadata) without validating them. >>> named.conf statement 'dnssec-validation auto;' then enables DNSSEC >>> validation itself. >>> In other words, it is possible to allow DNSSEC to work for forwarders >>> without doing validation itself. If the ISP in question resists >>> enabling DNSSEC then at least 'dnssec-enabled yes; dnssec-validation >>> no;' configuration would improve situation for people who care. >> Thanks. Did not know this. Sorry for the disinformation. > > imho dnssec-validation auto; have a bug as it validates domains without DS > set
Ever answer is supposed to be validated. This is what is REQUIRED by DNSSEC. The result of that validation can be insecure, valid, or bogus. The presence or absence of DS at the delegation tells the validator or a answers from a zone should be signed or not and if they are signed what DNSSEC algorithms are present. It is a myth that zones without DNSSEC are not validated. > hope bind developpers can confirm or deny it > > dnssec-enabled yes; is depricated in gentoo latest stable version 9.16.30 > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
