cs at sys4.de
Tue Jan 20 18:22:35 CET 2015
On Tue, 20 Jan 2015 13:51:04 +0100
Benny Pedersen <me at junc.eu> wrote:
> and in named.conf
> dnssec-enable yes;
> dnssec-lookaside auto;
> dnssec-validation auto;
> 2 last options must not be yes, this will disable dane, with auto
> dane works
The difference is
* "auto" enables validation and the build in trust anchor for the
Internet root-dns zone
* "yes" enables validation, but the BIND 9 configuration needs to have a
trust-anchor manually configured (via "trusted-keys" or "managed-keys"
When using BIND 9 for Internet DNS name resolution, "auto" is the
recommended setting. "yes" can be used for lokal, non-Internet
trust-anchor or for a local signed copy of the root-zone.
> in resolv.conf only have nameserver 127.0.0.1
well, only DNS resolvers that do DNSSEC validation (send the AD flag)
reachable over a trusted network.
> and bind9 must not have any forwarders !
BIND 9 can have forwarders, but these forwarders should pass the DNSSEC
records without changes. If the forwarders strip out data, DNSSEC
In general it is recommended to not use forwarders until there is a
very good case for it (like no direct connection to the Internet on port
There is nothing wrong with direct iterative name resolution, it is
usually faster than using forwarders.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the dane-users