-
Print
-
DarkLight
-
PDF
DNSSEC validation - how can I tell if my server is doing it?
System administrators sometimes need a quick answer to the question "Is my DNS server doing DNSSEC validation or not?" Usually this is because they've just received notification of a BIND security advisory and aren't sure if it is applicable to their production environment or not.
DNSSEC validation is performed on servers that are providing answers to client queries that have been obtained from other servers. Typically these servers will be configured to provide recursive services. BIND servers cannot and do not perform DNSSEC validation on RRsets that they themselves hold and serve authoritatively, that is, for zone data for which they are primary/master or secondary/slave.
In order to perform DNSSEC validation, all of the factors below need to be present:
- The server is providing answers to clients that are obtained from other servers (typically you'll see in
named.conf
one or more of the following:- recursion yes;
- allow-recursion { list of addresses or ranges that are permitted };
- allow-recursion-on { list of interfaces from which recursive queries will be accepted }
allow-query-cache
or allow-query
; please refer to the Administrator Reference Manual (ARM) for the version of BIND that you are using. Generally, though, if you see recursion no; in your named.conf
file, your server (or those views on your server to which this option applies) do not permit recursion.)
- The server is configured to permit DNSSEC-validation. There are two settings that control this:
- dnssec-enable yes; (this enables the server to respond with DNSSEC information to clients that request this)
- dnssec-validation yes; or dnssec-validation auto; (the former requires manually-configured trust anchors using trusted-keys or managed-keys; the latter will use BIND's built-in managed keys)
dnssec-enable yes;
and dnssec-validation yes;
Note that the setting dnssec-validation yes;
is ineffectual unless the server has access to trust anchors from which to establish a DNSSEC-validated chain of trust.
- The server has access to trust anchors from which to establish a DNSSEC-validated chain of trust:
- trusted-keys { some manually-maintained DNSSEC keys, usually for the root zone }; (Trusted-keys are copies of DNSKEY RRs for zones that are used to form the first link in the cryptographic chain of trust.)
- managed-keys { some automatically-maintained DNSSEC keys, usually for the root zone }; (The managed-keys statement, like trusted-keys, defines DNSSEC security roots. The difference is that managed-keys can be kept up to date automatically, without intervention from the resolver operator.)
If you don't see any statements at all in your named.conf
file (and all its include files too) that match keywords 'dnssec', 'trusted-keys' or 'managed-keys', then it is unlikely that your BIND server has DNSSEC-validation enabled.
For more information regarding DNSSEC, how it works, and how to configure it, please see the BIND Administrator Reference Manual, and other articles about DNSSEC in this Knowledgebase. Use the "Filter" box at the top left corner of this page to search for the topic.