Feature #1969


Forcing all DNS queries to use DNSSEC

Added by r a over 10 years ago. Updated over 9 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:



Can the DNS client in the next patched release of OpenIndiana be configured by use of "dnssec enable/disable" directive in /etc/resolv.conf to force all DNSSEC queries to use/not use DNSSEC.

Can the next release of OpenIndiana be configured by default so all all DNS client use DNSSEC unless it is specifically disabled by the use of "dnssec disable" in /etc/resolv.conf

Actions #1

Updated by Milan Jurik over 10 years ago

I think currently libresolv2 does not support DNSSEC. As possible workaround you can use caching DNS server to validate DNSSEC (e.g. on loopback) and configure your client to ask this server for all queries.

Actions #2

Updated by r a over 10 years ago

At present I have configured DNS on my OpenIndiana installation to support DNSSEC queries by enabling DNSSEC and installing the root Key Signing Key from the DNSSEC record

. 86374 IN DNSKEY 257 3 8 "KSK public key"

It would be useful to be able to configure the local DNS resolver to perform the following actions by adding entries into /etc/resolv.conf

1) Enable/Disable DNSSEC queries
dnssec <enable|disable>
2) Enforce DNSSEC only queries - non DNSSEC signed zones are rejected
dnssec query enforce
3) Warning when non DNSSEC signed information is returned
dnssec query warn
4) Enable DNSSEC queries but do not report non DNSSEC zones
dnssec query ignore
5) Specify exception DNS zones where DNSSEC is not required
dnssec trust <zone> | <zone1> .... <zoneN>

If DNSSEC queries are enabled the default action would be to warn about non DNSSEC signed zones. The DNSSEC trust option would allow internal DNS Zones to be trusted so that internal DNSSEC Key Signing Keys would not need to be published on the Internet.

Actions #3

Updated by Bayard Bell over 10 years ago

Why do you think this should happen?

Do you think this is something that should be taken up by the distros individually rather than as an upstream change in illumos-gate?

Actions #4

Updated by r a over 10 years ago

Yes, it would be best to be included in illumos-gate. In fact, I have contacted the to see if the suggestion would be of interest as there is no current standard way to handle DNSSEC queries on the client. I have DNSSEC enabled on my local DNS server and it also performs validation but my OpenIndiana only performs standard DNS queries. When I perform a dig @localhost +dnssec for example I can see in my Bind logs that EDNS are being performed otherwise they are not.
On Windows 2008R2 and Windows 7 it is possible to enable DNSSEC queries but apparently DNSSEC validation is not enabled.

Actions #5

Updated by Bayard Bell over 10 years ago

  • Priority changed from High to Low
  • Difficulty changed from Medium to Hard

I also like DNSSEC, but this doesn't really answer the question of why this should be default behaviour. This doesn't look at all like a high-priority issue (priority reduced accordingly). It doesn't look to be a trivial change to evaluate, either (you don't address questions like what happens to zones that aren't signed).

If it's something you'd like to pursue, I'd strongly encourage you to get more involved in development. Otherwise I can't imagine this issue being resolved in the near term.

Actions #6

Updated by Ken Mays over 9 years ago

  • Status changed from New to Closed

This is provided through BIND 9.8.3 which is available in oi-build and I spotted this config article:

You then test your setup with Windows 7 clients or against Windows 2008/2012 environments for correct operations.
Closed this ticket because this is 'out of scope' of normal oi-dev work.


Also available in: Atom PDF