On Fri Sep 30 2011 at 11:50:51 CEST, Hauke Lampe wrote:
> > *except that perhaps those who enable this feature will use it as an excuse
> > to avoid enabling validation, which would be a very bad result, IMO. . .
>
> My reading of the docs says that BIND's NXDOMAIN redirections won't
> break DNSSEC-signed results:
>
> "If the client has requested DNSSEC records (DO=1) and the NXDOMAIN
> response is signed then no substitution will occur."
I fixed my latest post on this after re-reading the ARM: indeed it
shouldn't break DNSSEC.
> I didn't get it to work, yet, though. After enabling the redirect zone,
> BIND goes into an endless loop of zone_timer/zone_maintenance/zone_settimer.
The redirection works, but I too noticed the CPU consumption (and
reported it to bind9-bugs).
-JP
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
