On Mon, 22 Nov 2004, Natarajan,Ganesh wrote:
Does DNS BIND 9.2.3 support caching and verification of RRs (resourse records) on the resolver library part by default?
RFC2535 is being obsoleted -- three replacement documents are in the RFC Editor queue right now. The changes between 2535-DNSSEC and DNSSECbis are substantial and incompatible. Only BIND 9.3.0 and later support these recent changes, and it's expected that 2535-DNSSEC is dead. While 9.2.3 does have a DNSSEC validator, it's pretty useless -- if you want DNSSEC, you need to use more modern code.
we wanted to know, whether by default any authentication is enabled at the resolver part in BIND 9.2.3.
No. 9.2.3 has a compile-time option for enabling DNSSEC support in the code. Even if the features are enabled, no validation is done unless trust anchors are defined (via the trusted-keys config line).
Is this CD bit disabled or enabled in BIND 9.2.3?
BIND 9.2.3, as a recursive resolver, will not issue queries with the CD bit set (unless it gets queries with the CD bit set). That means that any upstream resolvers that are doing DNSSEC validation will still do it. As above, the BIND 9.2.3 code won't do validation unless the DNSSEC code is enabled and at least one trust anchor is configured. -- Sam