In message <[email protected]>, Thomas Sturm writes: > Dear all, > > According to the documentation of the option 'dnssec-must-be-secure', > which reads like > > "Specify hierarchies which must be or may not be secure (signed > and validated). If yes, then named will only accept answers if > they are secure. If no, then normal DNSSEC validation applies > allowing for insecure answers to be accepted. The specified domain > must be under a trusted-keys or managed-keys statement, or dnssec- > lookaside must be active." > > I understand that I should be able to resolve dnssec-failed.org > successfully with a config like: > > managed-keys { > . initial-key 257 3 8 [current root key]; > }; > > options { > dnssec-enable yes; > dnssec-validation yes; > dnssec-must-be-secure dnssec-failed.org no; > };
No. Insecure != invalid. Insecure zones don't have a DNSSEC chain of trust to a configured trust anchor. > I have a managed-keys statement and dnssec-validation is set to "yes", > and not "auto" (which might be a problem as I read elsewhere). However, > this doesn't work. > > 02-Feb-2016 17:29:47.036 broken trust chain resolving > 'dnssec-failed.org/A/IN': 69.252.250.103#53 > > Am I doing something wrong, or is this not the actual intended usage of > this option? The intended use is to catch policy errors where a zone is made insecure but should not have been. > Of course, my use case is not resolving broken DNSSEC zones, but > resolving forwarded local zones (non-existing TLD), however, above > example should make the question more obvious. > > Thanks for any input. > > Cheers, > Thomas > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > [email protected] > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
