Re: [dns-wg] Query on Resolver w.r.t DNSSEC

[Samuel Weiler <]

On Mon, 22 Nov 2004, Natarajan,Ganesh wrote:

> Does DNS BIND 9.2.3 support caching and verification of RRs
> (resourse records) on the resolver library part by default?

RFC2535 is being obsoleted -- three replacement documents are in the
RFC Editor queue right now.  The changes between 2535-DNSSEC and
DNSSECbis are substantial and incompatible.  Only BIND 9.3.0 and later
support these recent changes, and it's expected that 2535-DNSSEC is
dead.  While 9.2.3 does have a DNSSEC validator, it's pretty useless
-- if you want DNSSEC, you need to use more modern code.

> we wanted to know, whether by default any authentication is enabled
> at the resolver part in BIND 9.2.3.

No.  9.2.3 has a compile-time option for enabling DNSSEC support in
the code.  Even if the features are enabled, no validation is done
unless trust anchors are defined (via the trusted-keys config line).

> Is this CD bit disabled or enabled in BIND 9.2.3?

BIND 9.2.3, as a recursive resolver, will not issue queries with the
CD bit set (unless it gets queries with the CD bit set).  That means
that any upstream resolvers that are doing DNSSEC validation will
still do it.  As above, the BIND 9.2.3 code won't do validation unless
the DNSSEC code is enabled and at least one trust anchor is
configured.

-- Sam