Carsten Strotmann cs at
Tue Jan 20 18:22:35 CET 2015

On Tue, 20 Jan 2015 13:51:04 +0100
Benny Pedersen <me at> wrote:

> and in named.conf
> 	dnssec-enable yes;
> 	dnssec-lookaside auto;
> 	dnssec-validation auto;
> 2 last options must not be yes, this will disable dane, with auto
> dane works

The difference is

* "auto" enables validation and the build in trust anchor for the
  Internet root-dns zone
* "yes" enables validation, but the BIND 9 configuration needs to have a
  trust-anchor manually configured (via "trusted-keys" or "managed-keys"

When using BIND 9 for Internet DNS name resolution, "auto" is the
recommended setting. "yes" can be used for lokal, non-Internet
trust-anchor or for a local signed copy of the root-zone.

> in resolv.conf only have nameserver

well, only DNS resolvers that do DNSSEC validation (send the AD flag)
reachable over a trusted network.

> and bind9 must not have any forwarders !

BIND 9 can have forwarders, but these forwarders should pass the DNSSEC
records without changes. If the forwarders strip out data, DNSSEC
validation fails.

In general it is recommended to not use forwarders until there is a
very good case for it (like no direct connection to the Internet on port

There is nothing wrong with direct iterative name resolution, it is
usually faster than using forwarders.

Best regards

Carsten Strotmann
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the dane-users mailing list