From e8fa9aa5c7aaf09cbe0cf6bafcbbb970f3824c94 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Thu, 14 Dec 2023 10:42:56 +0000 Subject: [PATCH] Document new requirements for 'dnssec-validation yes' Using the 'dnssec-validation yes' option now requires an explicitly confgiured 'trust-anchors' statement (or 'managed-keys' or 'trusted-keys', both deprecated). --- doc/arm/reference.rst | 5 ++++- doc/dnssec-guide/validation.rst | 4 ++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 5949ec14bd..57931b9a6b 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -2577,7 +2577,10 @@ Boolean Options If set to ``yes``, DNSSEC validation is enabled, but a trust anchor must be manually configured using a :any:`trust-anchors` statement (or the :any:`managed-keys` or :any:`trusted-keys` statements, both deprecated). If - there is no configured trust anchor, validation does not take place. + :any:`trust-anchors` is not configured, it is a configuration error. If + :any:`trust-anchors` does not include a valid root key, then validation does + not take place for names which are not covered by any of the configured trust + anchors. If set to ``no``, DNSSEC validation is disabled. (Note: the resolver will still set the DO bit in outgoing queries indicating that it can diff --git a/doc/dnssec-guide/validation.rst b/doc/dnssec-guide/validation.rst index 33958bb2a0..8d069327fe 100644 --- a/doc/dnssec-guide/validation.rst +++ b/doc/dnssec-guide/validation.rst @@ -405,6 +405,10 @@ When set to *auto*, BIND automatically keeps the keys (also known as trust anchors, discussed in :ref:`trust_anchors_description`) up-to-date without intervention from the DNS administrator. +When using *yes*, please note that if :any:`trust-anchors` does not include a +valid root key, then validation does not take place for names which are not +covered by any of the configured trust anchors. + We recommend using the default *auto* unless there is a good reason to require a manual trust anchor. To learn more about trust anchors, please refer to :ref:`trusted_keys_and_managed_keys`.