On Fri, Mar 02, 2012 at 11:13:06AM +0100, Matus UHLAR - fantomas wrote: > On 29.02.12 17:53, Michael McNally wrote: > > NXDOMAIN redirection is now possible. This enables a resolver > > to respond to a client with locally-configured information > > when a query would otherwise have gotten an answer of "no > > such domain". This allows a recursive nameserver to provide > > alternate suggestions for misspelled domain names. Note that > > names that are in DNSSEC-signed domains are exempted from > > this when validation is in use. [RT #23146] > > just by signing? so I can spare all our domains from being misused by > such shit just by signing them?
That's one half of it; the queries also need to request DNSSEC (EDNS DO=1). One or the other, by itself, isn't enough. This applies to both NXDOMAIN rewriting and RPZ, as of 9.9.0 (the RPZ behavior changed during the 9.9.0 development process). Bill. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
