Knowledge Base ISC Main Website Ask a Question/Contact ISC
DNSSEC validation - how can I tell if my server is doing it?
Author: Cathy Almond Reference Number: AA-01547 Views: 11708 Created: 2018-01-10 16:18 Last Updated: 2018-01-10 16:18 0 Rating/ Voters

System administrators sometimes need a quick answer to the question 'Is my DNS server doing DNSSEC validation or not?'  Usually this is because they've just received notification of a BIND security advisory and aren't sure if it is applicable to their production environment or not.

DNSSEC-validation is performed servers that are providing answers to client queries that have been obtained from other servers.  Typically these servers will be configured to provide recursive services.  BIND servers cannot and do not perform DNSSEC-validation on RRsets that they themselves hold and serve authoritatively, that is for zone data for which they are primary/master or secondary/slave.

In order to perform DNSSEC-validation, all of the factors below need to be present:

  • The server is providing answers to clients that are obtained from other servers (typically you'll see in named.conf one or more of the following:
    • recursion yes;
    • allow-recursion { list of addresses or ranges that are permitted };
    • allow-recursion-on { list of interfaces from which recursive queries will be accepted
      Absence of specific options permitting recursion may be misleading

      The default settings for whether or not recursion is permitted are that anyone on the local host or local network(s) can make recursive queries.  This may be altered by what has been configured for allow-query-cache or allow-query - please refer to the Administrator Reference Manual (ARM) for the version of BIND that you are using.  Generally though if you see recursion no; in your named.conf file, your server (or those views on your server to which this option applies) do not permit recursion.

  • The server is configured to permit DNSSEC-validation.  There are two settings that control this:
    • dnssec-enable yes; (This enables the server to respond with DNSSEC information to clients that request this)
    • dnssec-validation yes; or dnssec-validation auto; (the former requires manually-configured trust anchors using trusted-keys or managed-keys; the latter will use BIND's built-in managed keys)
      DNSSEC-validation is disabled by default

      If there is nothing configured at all, then the defaults for all modern versions of BIND are dnssec-enable yes; and dnssec-validation yes;  Note that the setting dnssec-validation yes; is ineffectual unless the server has access to trust anchors from which to establish a DNSSEC-validated chain of trust

  • The server has access to trust anchors from which to establish a DNSSEC-validated chain of trust:
    • trusted-keys { some manually-maintained DNSSEC keys, usually for the root zone }; (trusted-keys are copies of DNSKEY RRs for zones that are used to form the first link in the cryptographic chain of trust)
    • managed-keys { some automatically-maintained DNSSEC keys, usually for the root zone); (The managed-keys statement, like trusted-keys, defines DNSSEC security roots. The difference is that managed-keys can be kept up to date automatically, without intervention from the resolver operator)

If you don't see any statements at all in your named.conf file (and all its include files too) that match keywords 'dnssec', 'trusted-keys' or 'managed-keys', then it is unlikely that your BIND server has DNSSEC-validation enabled. 

For more information regarding DNSSEC, how it works, and how to configure it, please see the BIND Administrator Reference Manual, and other articles about DNSSEC in the ISC Knowledge Base.

© 2001-2018 Internet Systems Consortium

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

  • There is no feedback for this article
Quick Jump Menu