- As of bind 9.16, the option to enable DNSSEC 'dnssec-enable' is obsolete and
has no effect[1]. The option 'dnssec-validation' controls DNSSEC validation and
is set to 'auto' by default. 'auto' means that DNSSEC validation is enabled and
default trust anchor is used for DNS root zone. DNSSEC signatures are also
passed onto a client whenever available. Current stable, Debian Buster, has
version 9.16[3].
- As of bind 9.18, the option to enable DNSSEC 'dnssec-enable' is not recognized
and causes the daemon to fail to start[2]. Debian next, Debian Bookworm, has
version 9.18[3]. Therefore, in testing and unstable, bind fails to start of
installation from FreedomBox.
- There is no use-case for changing the current default behavior.
Links:
1)
https://bind9.readthedocs.io/en/v9_16_32/reference.html#dnssec-validation-option
2) https://bind9.readthedocs.io/en/v9_18_6/reference.html
3) https://tracker.debian.org/pkg/bind9
Tests:
- Run functional and unit tests.
- Option to enable/disable DNSSEC is removed.
- When bind is installed on testing without the patch, it fails to start. When
the patch is applied, bind will be upgraded, the dnssec-enable option is removed
from the configuration file /etc/bind/named.conf.options and bind is running.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Initial setup:
- Creates zones directory
- Write default configuration
- named is restarted
- Forwarders
- Setting forwarders works as expected.
- Current list of forwarders is shown as expected
- List of served domains is shown properly
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
