<para>
Enable, disable, or check the current status of
DNSSEC validation. By default, validation is enabled.
- (Note that <command>dnssec-enable</command> must also be
- <userinput>yes</userinput> (the default value) for signatures
- to be returned along with validated data. If validation is
- enabled while <command>dnssec-enable</command> is set to
- <userinput>no</userinput>, the server will validate internally,
- but will not supply clients with the necessary records to allow
- validity to be confirmed.)
</para>
</listitem>
</varlistentry>
</section>
<section xml:id="dnssec_config"><info><title>Configuring Servers for DNSSEC</title></info>
- <para>
- To enable <command>named</command> to respond appropriately
- to DNS requests from DNSSEC-aware clients,
- <command>dnssec-enable</command> must be set to
- <userinput>yes</userinput>. This is the default setting.
- </para>
<para>
To enable <command>named</command> to validate answers
received from other servers, the
built with <command>configure --disable-auto-validation</command>,
in which case the default is <userinput>yes</userinput>.
</para>
- <para>
- If <command>dnssec-enable</command> is set to
- <userinput>no</userinput>, then the default for
- <command>dnssec-validation</command> is also changed to
- <userinput>no</userinput>. If
- <command>dnssec-validation</command> is set to
- <userinput>yes</userinput>, the server will
- perform DNSSEC validation internally, but will not return
- signatures when queried - but it will not be turned on
- automatically.
- </para>
<para>
<command>trusted-keys</command> are copies of DNSKEY RRs
options {
...
- dnssec-enable yes;
dnssec-validation yes;
};
</programlisting>
<term><command>dnssec-enable</command></term>
<listitem>
<para>
- This indicates whether DNSSEC-related resource
- records are to be returned by <command>named</command>.
- If set to <userinput>no</userinput>,
- <command>named</command> will not return DNSSEC-related
- resource records unless specifically queried for.
- The default is <userinput>yes</userinput>.
+ This option is obsolete and has no effect.
</para>
</listitem>
</varlistentry>
<term xml:id="dnssec_validation_term"><command>dnssec-validation</command></term>
<listitem>
<para>
- This enables DNSSEC validation in <command>named</command>.
- Note that <command>dnssec-enable</command> also needs to
- be set to <userinput>yes</userinput> for signatures to be
- returned to the client along with validated answers.
+ This option enables DNSSEC validation in
+ <command>named</command>.
</para>
<para>
If set to <userinput>auto</userinput>,
BIND is built with
<command>configure --disable-auto-validation</command>,
in which case the default is <userinput>yes</userinput>.
- If <command>dnssec-enable</command> is set to
- <userinput>no</userinput>, then the default for
- <command>dnssec-validation</command> is also
- <userinput>no</userinput>. Validation can still be turned on
- if desired - this results in a server that performs DNSSEC
- validation but does not return signatures when queried -
- but it will not be turned on automatically.
</para>
<para>
The default root trust anchor is stored in the file
projects / thirdparty / bind9.git / commitdiff
