On Thu, Sep 13, 2018 at 06:49:45AM -0700, Pallissard, Matthew wrote: > > I had to add "dnssec-validation yes;" to /etc/named.conf. I have a > > Are you sure you didn't want these values? > > dnssec-enable no; > dnssec-validation no; Well, prior to the recent BIND releease, the default had been "yes" - which means "no" for me. I just wanted to make it behave the same way as it had before. I don't know if there's a difference between that and the options you suggested: ftp://ftp.isc.org/isc/bind9/cur/9.10/doc/arm/Bv9ARM.ch06.html#Configuration_File_Grammar If set to auto, DNSSEC validation is enabled, and a default trust anchor for the DNS root zone is used. If set to yes, DNSSEC validation is enabled, but a trust anchor must be manually configured using a trusted-keys or managed-keys statement. The default is yes. Here's my SU question BTW: https://superuser.com/questions/1349213/how-to-debug-local-named-with-broken-dnssec Matthew, do you know more about this stuff or were you just as confused as I was by the "yes means no" syntax? I didn't necessarily want to get into that in this thread, although it could potentially be something for us to complain to the BIND maintainers about. (viz., people thinking they had enabled dnssec-validation when in fact they hadn't) Frederick
