DNSSEC validation - how can I tell if my server is doing it?
  • 15 Oct 2018
  • 2 Minutes To Read
  • Contributors
  • Print
  • Share
  • Dark
    Light

DNSSEC validation - how can I tell if my server is doing it?

  • Print
  • Share
  • Dark
    Light

System administrators sometimes need a quick answer to the question "Is my DNS server doing DNSSEC validation or not?" Usually this is because they've just received notification of a BIND security advisory and aren't sure if it is applicable to their production environment or not.

DNSSEC validation is performed on servers that are providing answers to client queries that have been obtained from other servers. Typically these servers will be configured to provide recursive services. BIND servers cannot and do not perform DNSSEC validation on RRsets that they themselves hold and serve authoritatively, that is, for zone data for which they are primary/master or secondary/slave.

In order to perform DNSSEC validation, all of the factors below need to be present:

  • The server is providing answers to clients that are obtained from other servers (typically you'll see in named.conf one or more of the following:
    • recursion yes;
    • allow-recursion { list of addresses or ranges that are permitted };
    • allow-recursion-on { list of interfaces from which recursive queries will be accepted }

Absence of specific options permitting recursion may be misleading
The default settings for whether recursion is permitted are that anyone on the local host or local network(s) can make recursive queries. This may be altered by what has been configured for allow-query-cache or allow-query; please refer to the Administrator Reference Manual (ARM) for the version of BIND that you are using. Generally, though, if you see recursion no; in your named.conf file, your server (or those views on your server to which this option applies) do not permit recursion.)

  • The server is configured to permit DNSSEC-validation. There are two settings that control this:
    • dnssec-enable yes; (this enables the server to respond with DNSSEC information to clients that request this)
    • dnssec-validation yes; or dnssec-validation auto; (the former requires manually-configured trust anchors using trusted-keys or managed-keys; the latter will use BIND's built-in managed keys)

DNSSEC-validation is disabled by default
If there is nothing configured at all, then the defaults for all modern versions of BIND are dnssec-enable yes; and dnssec-validation yes;
Note that the setting dnssec-validation yes; is ineffectual unless the server has access to trust anchors from which to establish a DNSSEC-validated chain of trust.

  • The server has access to trust anchors from which to establish a DNSSEC-validated chain of trust:
    • trusted-keys { some manually-maintained DNSSEC keys, usually for the root zone }; (Trusted-keys are copies of DNSKEY RRs for zones that are used to form the first link in the cryptographic chain of trust.)
    • managed-keys { some automatically-maintained DNSSEC keys, usually for the root zone }; (The managed-keys statement, like trusted-keys, defines DNSSEC security roots. The difference is that managed-keys can be kept up to date automatically, without intervention from the resolver operator.)

If you don't see any statements at all in your named.conf file (and all its include files too) that match keywords 'dnssec', 'trusted-keys' or 'managed-keys', then it is unlikely that your BIND server has DNSSEC-validation enabled. 

For more information regarding DNSSEC, how it works, and how to configure it, please see the BIND Administrator Reference Manual, and other articles about DNSSEC in this Knowledgebase. Use the "Filter" box at the top left corner of this page to search for the topic.