This thread has gotten bogged down in silliness. (Not referring to Paul's message).
First, dns-validation is 'off' by default in all BIND versions. It's dnssec-enable that started defaulting to 'yes'. Second, your firewall is simply broken. You will continue to have problems with DNS until you fix/replace it. I have not seen a recent firewall broken in this manner for a while, but this was quite common a couple of years ago. For the moment, turning off dnssec-enable is probably your best hope, but it's not a fix and you are likeky to see continuing problems on a smaller scale until the firewall is fixed. Sent from my Treo: R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) E. O. Lawrence Berkeley National Laboratory (LBNL) ober...@es.net +1 510-486-8634 -----Original Message----- From: Paul Wouters <p...@xelerance.com> Date: Friday, Jun 4, 2010 9:20 am Subject: Re: disable dnssec in bind resolver To: Evan Hunt <e...@isc.org> CC: bind-users@lists.isc.org On Fri, 4 Jun 2010, Evan Hunt wrote: > I'm pretty sure "dnssec-enable no" does suppress the DO bit. If it doesn't, that's probably a bug. Yeah, I thought the default changed when all those NAT routers proved buggy. > If it doesn't, though, try "edns no". You can't have a DO bit if you don't have a place to put one. This seems a bit like "my left leg hurts, so i stabbed my right leg". > And, fix the broken firewall as soon as possible. :) Now that is solid advise :) Paul _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users