Hi Posted about this before but got no further with the issue which is as follows: BIND9 will not start if the named.conf.options file contains the line: dnssec-enable yes; It was all working fine (with dnssec enabled until a few months ago, then it one day just collapsed, bind9 would not start unless I hashed out the offending line) I am convinced I need to get it working again because the server is getting targetted with a lot of spam and I suspect it is because it is running without dnssec Any help would be very gratefully received Cheers
Oh right then that would explain (possibly) why it will not fire up with that line enabled I suppose. Thanks for the info I (clearly) was not aware it was obsolete. As for the spam, there is a massive amount of spoofing going on, cannot seem to close it down or defend against it. We have dkim signing and have just turned that up to maximum strength but mail is still being sent out "as if" its from our domain/server and therefore we get the abuse reports coming back on us
DNSSEC is not obsolete, but like @pyte mentioned, it's not about preventing spam. So having a DNSSEC signed zone will not help you with the spam issue. To prevent spam, you must set op DKIM signing for the domain and then set a strict SPF (TXT) and DMARC record in DNS. If you receive abuse reports, do they mention your IP address as the sender? or do they mention a different IP? If they mention your server IP as the sender, then your system is sending these emails out, e.g., through a hacked website or a hacked email account.
To elaborate further, even if you implement such measures, you are still dependent on the receiving mail server to enforce them. For instance, setting a hard fail in your SPF record does not guarantee that every mail server will reject emails when the SPF check fails. While they should, experience shows that this is not always the case.
