On Tue, 20 Jan 2015 13:51:04 +0100 Benny Pedersen me@junc.eu wrote:
and in named.conf
dnssec-enable yes; dnssec-lookaside auto; dnssec-validation auto;
2 last options must not be yes, this will disable dane, with auto dane works
The difference is
* "auto" enables validation and the build in trust anchor for the Internet root-dns zone * "yes" enables validation, but the BIND 9 configuration needs to have a trust-anchor manually configured (via "trusted-keys" or "managed-keys" statements)
When using BIND 9 for Internet DNS name resolution, "auto" is the recommended setting. "yes" can be used for lokal, non-Internet trust-anchor or for a local signed copy of the root-zone.
in resolv.conf only have nameserver 127.0.0.1
well, only DNS resolvers that do DNSSEC validation (send the AD flag) reachable over a trusted network.
and bind9 must not have any forwarders !
BIND 9 can have forwarders, but these forwarders should pass the DNSSEC records without changes. If the forwarders strip out data, DNSSEC validation fails.
In general it is recommended to not use forwarders until there is a very good case for it (like no direct connection to the Internet on port 53).
There is nothing wrong with direct iterative name resolution, it is usually faster than using forwarders.
Best regards
Carsten Strotmann