This thread has gotten bogged down in silliness. (Not referring to Paul's message).
First, dns-validation is 'off' by default in all BIND versions. It's dnssec-enable that started defaulting to 'yes'. Second, your firewall is simply broken. You will continue to have problems with DNS until you fix/replace it. I have not seen a recent firewall broken in this manner for a while, but this was quite common a couple of years ago. For the moment, turning off dnssec-enable is probably your best hope, but it's not a fix and you are likeky to see continuing problems on a smaller scale until the firewall is fixed. Sent from my Treo: R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) E. O. Lawrence Berkeley National Laboratory (LBNL) [email protected] +1 510-486-8634 -----Original Message----- From: Paul Wouters <[email protected]> Date: Friday, Jun 4, 2010 9:20 am Subject: Re: disable dnssec in bind resolver To: Evan Hunt <[email protected]> CC: [email protected] On Fri, 4 Jun 2010, Evan Hunt wrote: > I'm pretty sure "dnssec-enable no" does suppress the DO bit. If it doesn't, that's probably a bug. Yeah, I thought the default changed when all those NAT routers proved buggy. > If it doesn't, though, try "edns no". You can't have a DO bit if you don't have a place to put one. This seems a bit like "my left leg hurts, so i stabbed my right leg". > And, fix the broken firewall as soon as possible. :) Now that is solid advise :) Paul _______________________________________________ bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
