Matus UHLAR - fantomas wrote:
>
> and in case of private/internal domain even logical - it's not useful to
> push DS records to parent, and even possible with 2 versions of the same
> zone.
You can have a secure delegation in the parent if you sign both versions
of the zone with the same KSK. (Th
On 08.02.18 19:12, Mark Andrews wrote:
You break a chain of trust by proving there is a insecure delegation.
that should be expected :-)
and in case of private/internal domain even logical - it's not useful to
push DS records to parent, and even possible with 2 versions of the same
zone.
N
You break a chain of trust by proving there is a insecure delegation.
NXDOMAIN is not a delegation.
The point on OPTOUT is to allow the parent zone to add and remove
insecure delegations without resigning.
Mark
> On 7 Feb 2018, at 11:26 pm, Tony Finch wrote:
>
> Pruned debug logs...
>
> vali
Thankyou,
Am 2018-02-08 hackte Warren Kumari in die Tasten:
> On Wed, Feb 7, 2018 at 7:41 AM, Tony Finch wrote:
>> Michelle Konzack wrote:
>>
>>> If someone is interested making a slave for me, I can do
>>> the same with him/her/whatelse.
>>
>> I'm cheap, so for my personal domains I use free se
On Wed, Feb 7, 2018 at 7:41 AM, Tony Finch wrote:
> Michelle Konzack wrote:
>
>> If someone is interested making a slave for me, I can do
>> the same with him/her/whatelse.
>
> I'm cheap, so for my personal domains I use free secondaries from
> https://puck.nether.net/dns/ and https://admin.grati
Guten Abend,
Am 2018-02-07 hackte Reindl Harald in die Tasten:
> Am 07.02.2018 um 18:38 schrieb Matus UHLAR - fantomas:
>> neither is possible for now. as I said, neither our customer not
>> itsupstream does maintain the domain.
>
> i will point at that case when someone asks why i insist of be re
Am 07.02.2018 um 18:38 schrieb Matus UHLAR - fantomas:
neither is possible for now. as I said, neither our customer not
itsupstream does maintain the domain.
i will point at that case when someone asks why i insist of be registrar
as well as dns-provider for anything i have to deal with it -
Matus UHLAR - fantomas wrote:
I wonder why does it do that. I have configured a zone to be type
forward and expected it to work as confdigured, not be validated
upstream.
On 07.02.18 14:14, Tony Finch wrote:
Validation is mostly independent of resolution, so even if you configure a
zone expli
Matus UHLAR - fantomas wrote:
>
> I wonder why does it do that. I have configured a zone to be type
> forward and expected it to work as confdigured, not be validated
> upstream.
Validation is mostly independent of resolution, so even if you configure a
zone explicitly, the validator will still g
contact to
the registrator.
I currently see the only option to disable dnssec on the server, or upgrade
to 9.11 ...
but I'll upgrade the server to debian 8 (bind9.9.5) first.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail adverti
Hi there,
On Wed, 7 Feb 2018, Michelle Konzack wrote:
... Note: If someone is interested making a slave for me ...
Is there a reason you don't use e.g. he.net?
https://dns.he.net/
They do say of DNSSEC that they are "exploring this now" but it seems
to work for me.
--
73,
Ged.
__
Michelle Konzack wrote:
> If someone is interested making a slave for me, I can do
> the same with him/her/whatelse.
I'm cheap, so for my personal domains I use free secondaries from
https://puck.nether.net/dns/ and https://admin.gratisdns.com/
Tony.
--
f.anthony.n.finchhttp://dotat.at/ -
Ahoi Matus,
Am 2018-02-07 hackte Matus UHLAR - fantomas in die Tasten:
> yes. even web whois shows no 'nameserver' information.
>
> the name is "testa.eu".
Oi, the owner is the European Commission!
It seems, they have the privileg,
not to attribute Name Server to the domain.
A normal registrant
Pruned debug logs...
validating testa.eu/DS: looking for closest encloser
validating testa.eu/DS: NSEC3 QBQ65Q6097OCPPR0EUCQNSC1FHE073UA indicates
potential closest encloser: 'eu'
validating testa.eu/DS: NSEC3 QBQ65Q6097OCPPR0EUCQNSC1FHE073UA at super-domain
eu
validating testa.eu/DS: NSEC3 GLIB
Matus UHLAR - fantomas wrote:
>
> the name is "testa.eu".
OK, let's dig it (trimmed for relevance):
; <<>> DiG 9.13.0-dev <<>> +multiline +dnssec testa.eu
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39666
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
So we know t
Thanks for providing the domain name in question (testa.eu).
Indeed, port 43 whois shows no nameservers - neither does the web based
whois on whois.eurid.eu, though the name does exist in the 'eu' registry
system.
Dig gives me nothing either...
$ dig testa.eu ns +short
$ dig testa.eu ds +short
Am 07.02.2018 um 12:12 schrieb Reindl Harald:
Am 07.02.2018 um 12:07 schrieb Matus UHLAR - fantomas:
On 06/02/2018 16:31, Matus UHLAR - fantomas wrote:
what's the difference, when the domain doesn't exist?
is it because .eu is signed?
On 06.02.18 16:35, Ray Bellis wrote:
Perhaps, althou
Am 07.02.2018 um 12:07 schrieb Matus UHLAR - fantomas:
On 06/02/2018 16:31, Matus UHLAR - fantomas wrote:
what's the difference, when the domain doesn't exist?
is it because .eu is signed?
On 06.02.18 16:35, Ray Bellis wrote:
Perhaps, although I'm not sure why given that .eu is signed with
On 06/02/2018 16:31, Matus UHLAR - fantomas wrote:
what's the difference, when the domain doesn't exist?
is it because .eu is signed?
On 06.02.18 16:35, Ray Bellis wrote:
Perhaps, although I'm not sure why given that .eu is signed with NSEC3
and opt-out.
Are you *sure* that the domain doesn'
Am DATE hackte AUTHOR in die Tasten: Ray Bellis
> Perhaps, although I'm not sure why given that .eu is signed with NSEC3
> and opt-out.> On 06/02/2018 16:31, Matus UHLAR - fantomas wrote:
>
>> what's the difference, when the domain doesn't exist?
>>
>> is it because .eu is signed?
>
> Are you *sure
Hello Matus,
Am 2018-02-06 hackte Matus UHLAR - fantomas in die Tasten:
>>Am 2018-02-06 hackte Matus UHLAR - fantomas in die Tasten:
>>> our customer uses a domain that is registered, but hidden
>>> (doesn't exist in DNS).
>
> On 06.02.18 18:24, Michelle Konzack wrote:
>>I hope you know what are y
On 06/02/2018 16:31, Matus UHLAR - fantomas wrote:
> what's the difference, when the domain doesn't exist?
>
> is it because .eu is signed?
Perhaps, although I'm not sure why given that .eu is signed with NSEC3
and opt-out.
Are you *sure* that the domain doesn't now actually exist in the DNS?
Am 2018-02-06 hackte Matus UHLAR - fantomas in die Tasten:
our customer uses a domain that is registered, but hidden
(doesn't exist in DNS).
On 06.02.18 18:24, Michelle Konzack wrote:
I hope you know what are you doing, because the DNS MUST exist!
Please read the general conditions for the EU
Am 06.02.2018 um 17:24 schrieb Michelle Konzack:
Good evening,
Am 2018-02-06 hackte Matus UHLAR - fantomas in die Tasten:
Hello,
our customer uses a domain that is registered, but hidden
(doesn't exist in DNS).
I hope you know what are you doing, because the DNS MUST exist!
Please read the
Good evening,
Am 2018-02-06 hackte Matus UHLAR - fantomas in die Tasten:
> Hello,
>
> our customer uses a domain that is registered, but hidden
> (doesn't exist in DNS).
I hope you know what are you doing, because the DNS MUST exist!
Please read the general conditions for the EU Domain Registry!
On 06/02/2018 16:00, Matus UHLAR - fantomas wrote:
our customer uses a domain that is registered, but hidden
(doesn't exist in DNS).
The domain is used by multiple organizations and we are required to forward
lookups for the domain to foreign internal servers.
The problem is, that parent domain
Matus UHLAR - fantomas wrote:
>
> Is it currently possible to avoid validating this particular domain?
BIND 9.11 has support for negative trust anchors, but they are supposed to
be used as a temporary workaround to allow time for breakage to be fixed -
you'll probably find that the NTA support is
On 06/02/2018 16:00, Matus UHLAR - fantomas wrote:
> Hello,
>
> our customer uses a domain that is registered, but hidden
> (doesn't exist in DNS).
>
> The domain is used by multiple organizations and we are required to forward
> lookups for the domain to foreign internal servers.
>
> The proble
Am 06.02.2018 um 17:00 schrieb Matus UHLAR - fantomas:
our customer uses a domain that is registered, but hidden
(doesn't exist in DNS).
The domain is used by multiple organizations and we are required to forward
lookups for the domain to foreign internal servers.
The problem is, that parent
Hello,
our customer uses a domain that is registered, but hidden
(doesn't exist in DNS).
The domain is used by multiple organizations and we are required to forward
lookups for the domain to foreign internal servers.
The problem is, that parent domain (.eu) indicates that the domain is to be
si
> -Ursprüngliche Nachricht-
> Von: Evan Hunt [mailto:e...@isc.org]
>
> On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote:
> > I'm just wondering, is an option like unbound's "domain-insecure"
> > intentionally not implemented in in BIND? Or did just nobody care
> > enough to
>
>If the zone isn't signed, it shouldn't be trying to validate it as there's
>nothing to validate. Unless this fictional TLD now has a real delegated
>counter-part?
>
>Stuart
Just for clarification:
If a TLD does not exist, it can neither be signed nor unsigned.
And, officially, the mentioned
NSEC.
W
On Wed, Jan 14, 2015 at 5:12 PM, Stuart Browne
wrote:
>> Unfortunately we can't sign the fictional TLD, since we are neither master
>> nor slave of the zone.
>> We are just forwarding our queries to a foreign authorative Server.
>>
>> Grüße,
>> Stefan
>
> If the zone isn't signed, it shou
> Unfortunately we can't sign the fictional TLD, since we are neither master
> nor slave of the zone.
> We are just forwarding our queries to a foreign authorative Server.
>
> Grüße,
> Stefan
If the zone isn't signed, it shouldn't be trying to validate it as there's
nothing to validate. Unless
Hi Daniel,
> You may also try to disable all DNSSEC algorithms for a zone:
> https://lists.dns-oarc.net/pipermail/dns-operations/2014-October/012282.html
>
> Regards,
> Daniel
Also a nice idea for a workaround :) But it did not work for me.
This is what I tried:
Options {
>> Our customer uses a fictional Toplevel Domain[...]
>
> Can you flip the problem on its head, by signing the fictional TLD and
> deploying managed-keys (or trusted-keys) on the validating resolvers?
>
> Graham
Unfortunately we can't sign the fictional TLD, since we are neither master nor
slave
On 14/01/2015 09:34, stefan.las...@t-systems.com wrote:
> Our customer uses a fictional Toplevel Domain[...]
Can you flip the problem on its head, by signing the fictional TLD and
deploying managed-keys (or trusted-keys) on the validating resolvers?
Graham
___
Hi Chris,
> While you wait for this to become generally available, you can do what I like
> to do for my customers: Use two layers of recursive DNS servers. The first
> layer takes queries from clients, knows about your insecure domains
> (through stub zones, slave zones, or conditional forwardi
ve running internally, all Documentations etc...
I wouldn't be surprised if they are not even aware of the problem, yet.
Regards,
Stefan
-Ursprüngliche Nachricht-
Von: Evan Hunt [mailto:e...@isc.org]
Gesendet: Mittwoch, 14. Januar 2015 09:13
An: Lasche, Stefan
Cc: BIND Users
Betre
On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote:
> I'm just wondering, is an option like unbound's "domain-insecure"
> intentionally not implemented in in BIND? Or did just nobody care
> enough to implement it yet?
I have resisted implementing it because it's too easy for an operato
On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote:
> I know that BIND has no feature to disable DNSSEC validation for selected
> Zones/Domains (when working as a recursor).
> One can only enable/disable DNSSEC validation globally per view (as a boolean
> on/off).
[...]
Hello Stefan
You may also try to disable all DNSSEC algorithms for a zone:
https://lists.dns-oarc.net/pipermail/dns-operations/2014-October/012282.html
Regards,
Daniel
On 13.01.15 14:53, stefan.las...@t-systems.com wrote:
> Hi Mukund
>
> and thanks a lot for pointing that out!
> It is already
Hi Mukund
and thanks a lot for pointing that out!
It is already more than I was hoping for :)
Regards,
Stefan
> BIND will get support for negative trust anchors in 9.11, which will provide
> the feature that you seek. An implementation is now in the master branch.
>
> https://tools.ietf.org
Hi Stefen
On Tue, Jan 13, 2015 at 11:35:26AM +0100, stefan.las...@t-systems.com wrote:
> Some of the internal Domains of our customers will fail the
> proof-of-non-existence. While this is technically correct, we still
> need access to their internal Domain to do our business... So the
> current
stefan.las...@t-systems.com wrote:
>
> I know that BIND has no feature to disable DNSSEC validation for
> selected Zones/Domains (when working as a recursor).
BIND 9.11 will have negative trust anchors.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Fair Isle: Southwest 6
Hi @all,
I know that BIND has no feature to disable DNSSEC validation for selected
Zones/Domains (when working as a recursor).
One can only enable/disable DNSSEC validation globally per view (as a boolean
on/off).
I found that Microsoft's DNS Server has a feature to skip the validatio
- Original Message -
>
> In message <483759859.6291670.1398781076480.javamail.zim...@redhat.com>,
> Tomas H
> ozza writes:
> > Hi.
> >
> > I'm trying to disable DNSSEC/EDNS for the lwresd using the
> > following lwresd.conf:
&
In message <483759859.6291670.1398781076480.javamail.zim...@redhat.com>, Tomas H
ozza writes:
> Hi.
>
> I'm trying to disable DNSSEC/EDNS for the lwresd using the
> following lwresd.conf:
>
> options {
> directory "/var/named/";
>
>
Hi.
I'm trying to disable DNSSEC/EDNS for the lwresd using the
following lwresd.conf:
options {
directory "/var/named/";
dnssec-enable no;
dnssec-validation no;
pid-file "/run/named/lwresd.pid";
session-keyfile "/run
>
> Once the DS record is removed from the .edu zone, queriers won't
> expect your zone to be signed any more. At that point, you can leave
> it signed or remove the signatures, and it won't make any difference.
> You just need to wait at least 24 hours from the time the record
> disappears from t
On Tue, Jan 07, 2014 at 04:34:27PM +, Eric Davis wrote:
> Duh...silly mistake...I did a DIG on the NS record..Once the DS record is
> removed DNS queries should work fine right? Thanks Bill.
Once the DS record is removed from the .edu zone, queriers won't expect your
zone to be signed any m
Subject: Re: Disable DNSSEC
On Tue, Jan 07, 2014 at 04:24:31PM +, Eric Davis wrote:
> So I guess my DS record has the same TTL as my default TTL for my records?
> My default is 8 hours, so if I wait 8 hours after I remove the DS from my
> parent zone then I should be ok? My parent zone
On Tue, Jan 07, 2014 at 04:24:31PM +, Eric Davis wrote:
> So I guess my DS record has the same TTL as my default TTL for my records?
> My default is 8 hours, so if I wait 8 hours after I remove the DS from my
> parent zone then I should be ok? My parent zone is a TLD(.edu).
The DS record i
@lists.isc.org
[mailto:bind-users-bounces+eric=rockefeller@lists.isc.org] On Behalf Of
Georg Kahest
Sent: Tuesday, January 07, 2014 10:12 AM
To: bind-users@lists.isc.org
Subject: Re: Disable DNSSEC
On 01/07/2014 05:01 PM, Eric Davis wrote:
> My DNS appliances are not well-suited for this yet, s
On 01/07/2014 05:01 PM, Eric Davis wrote:
> My DNS appliances are not well-suited for this yet, so I want to
> disable DNSSEC for my for domain. Anyone know the proper steps to
> take and what order if there is any order? I have a DS record in
> my parent domain. Do I need to remov
My DNS appliances are not well-suited for this yet, so I want to disable DNSSEC
for my for domain. Anyone know the proper steps to take and what order if
there is any order? I have a DS record in my parent domain. Do I need to
remove that first? Thanks in advance.
Eric
On Aug 5 2011, Mark Andrews wrote:
In message , "Dodson, Ron" writes:
Hello,
Is there a way to disable dnssec validation for a single zone?
No.
Without wanting to argue about whether it would be appropriate to use
such a mechanism (if it existed) in this particular case, thi
iPhone)
On Aug 4, 2011, at 19:37, Mark Andrews wrote:
>
> In message , "Dodson, Ron" writes:
>> Hello,
>>
>> Is there a way to disable dnssec validation for a single zone?
>
> No.
>
>> The people wh
>> o run the dns for ojp.usdoj.gov hav
> The last time there was a dns issue with usdoj.gov, it took about 3
> weeks for them to fix it.
Reeks of incompetence.
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing li
ere a way to disable dnssec validation for a single zone?
Hello,
Is there a way to disable dnssec validation for a single zone? The people
who run the dns for ojp.usdoj.gov have broken dnssec. Usdoj.gov delegates
ojp.usdoj.gov and has a DS record for ojp.usdoj.gov. Ojp.usdoj.gov is
unsigned, and
In message , "Dodson, Ron" writes:
> Hello,
>
> Is there a way to disable dnssec validation for a single zone?
No.
> The people wh
> o run the dns for ojp.usdoj.gov have broken dnssec. Usdoj.gov delegates ojp.
> usdoj.gov and has a DS record for ojp.usdoj.gov
Hello,
Is there a way to disable dnssec validation for a single zone? The people who
run the dns for ojp.usdoj.gov have broken dnssec. Usdoj.gov delegates
ojp.usdoj.gov and has a DS record for ojp.usdoj.gov. Ojp.usdoj.gov is
unsigned, and has no corresponding dnskey record, so validation
ed from various spam
BL repositories.
Is there a way to disable dnssec validation on a per-zone basis for
internal pseudo TLDs?
Antonio Querubin
808-545-5282 x3003
e-mail/xmpp: t...@lava.net
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
In message , Warren Kumari wri
tes:
> On Jun 8, 2010, at 6:26 AM, Jan Buchholz wrote:
>
> > Thanks @all, sorry i was out of office yesterday. I'll discuss the
> > issue this week on the german Linux Tag in Berlin.
> >
> > What your meaning off firewalls, who looks into packets and block them
> >
On Jun 8, 2010, at 6:26 AM, Jan Buchholz wrote:
Thanks @all, sorry i was out of office yesterday. I'll discuss the
issue this week on the german Linux Tag in Berlin.
What your meaning off firewalls, who looks into packets and block them
if the filter don´t know a flag.
Some "high security" f
Thanks @all, sorry i was out of office yesterday. I'll discuss the
issue this week on the german Linux Tag in Berlin.
What your meaning off firewalls, who looks into packets and block them
if the filter don´t know a flag.
First i´ve fixed the problem with edns no;
Jan
___
In message <201006060107.o5617ep4091...@drugs.dv.isc.org>, Mark Andrews writes:
>
> In message <4c0aad2a.4010...@dougbarton.us>, Doug Barton writes:
> > On 06/05/10 07:22, Mark Andrews wrote:
> > > In message<4c09c562.7030...@dougbarton.us>, Doug Barton writes:
> > >
> > > The resolver works. It
In message <4c0aad2a.4010...@dougbarton.us>, Doug Barton writes:
> On 06/05/10 07:22, Mark Andrews wrote:
> > In message<4c09c562.7030...@dougbarton.us>, Doug Barton writes:
> >
> > The resolver works. It figures out that it can't make the new style
> > queries and falls back to the old style que
On 06/05/10 07:22, Mark Andrews wrote:
In message<4c09c562.7030...@dougbarton.us>, Doug Barton writes:
The resolver works. It figures out that it can't make the new style
queries and falls back to the old style queries. If the user is really
worried they can turn off EDNS and with that DO.
T
On 06/04/10 21:58, Paul Vixie wrote:
Doug Barton writes:
With my business hat on though I can see at least 2 possible use cases for
DO=0. The first being related to this thread, "I can't/won't fix/remove the
firewall today, I just want my resolver to work."
it works. it's just slower because
On Fri, Jun 4, 2010 at 11:32 PM, Doug Barton wrote:
>
>
> With my business hat on though I can see at least 2 possible use cases for
> DO=0. The first being related to this thread, "I can't/won't fix/remove the
> firewall today, I just want my resolver to work." The hapless user in that
> spot is
In message <4c09c562.7030...@dougbarton.us>, Doug Barton writes:
>
> Ok, so my guess as to ISC's motivations was pretty much on the mark, and
> speaking with my "Guy who loves the Internet and wants to see things
> work better for everybody" hat on, I am totally in agreement. That's why
> I sa
> The DO bit is always set whenever the server includes an EDNS OPT RR
> (I thought it was based on the specification, but don't remember which
> sentence of which RFC says so).
I was taken aback to read this, because I remembered seeing code in named
that clears the DO bit if "dnssec-enable" is "
Doug Barton writes:
> On 06/04/10 19:40, Paul Vixie wrote:
>> ...
>>
>> unless a new IETF RFC comes along and disambiguates the meaning of "DO"
>> such that it's only to be set if the requestor thinks it has a
>> reasonable shot at validating the resulting metadata, i expect BIND to
>> keep sett
On 06/04/10 19:40, Paul Vixie wrote:
Doug Barton writes:
I have a guess at why ISC would want to enable it by default, and even in
the presence of an option to turn it off I'm still Ok with that default.
But if it's not a standards requirement to have it on, giving the admin a
choice would be
Doug Barton writes:
> I have a guess at why ISC would want to enable it by default, and even in
> the presence of an option to turn it off I'm still Ok with that default.
> But if it's not a standards requirement to have it on, giving the admin a
> choice would be a welcome thing.
this was, as y
On 06/04/10 11:19, JINMEI Tatuya / 神明達哉 wrote:
The DO bit is always set whenever the server includes an EDNS OPT RR
(I thought it was based on the specification, but don't remember which
sentence of which RFC says so).
Given that concern about whether or not it's a good idea to always send
DO=
> First, dns-validation is 'off' by default in all BIND versions. It's
> dnssec-enable that started defaulting to 'yes'.
Correct in the sense that there are no configured trust anchors, so
validation doesn't happen.
Incorrect in the sense that the "dnssec-validation" option *is* turned on
by defa
At Fri, 4 Jun 2010 16:50:26 +0200,
Jan Buchholz <96de...@googlemail.com> wrote:
> >> how i can disable dnssec in the bind resolver ? My firewall don´t let
> >> packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but
> >> this don´t fix the pr
On 6/4/2010 1:52 PM, R. Kevin Oberman wrote:
> First, dns-validation is 'off' by default in all BIND versions. It's
> dnssec-enable that started defaulting to 'yes'.
No, it isn't. The only reason that dnssec-validation appears "off" is
that without trust anchors, it doesn't do anything. Insert
Date: Friday, Jun 4, 2010 9:20 am
Subject: Re: disable dnssec in bind resolver
To: Evan Hunt
CC: bind-users@lists.isc.org
On Fri, 4 Jun 2010, Evan Hunt wrote:
> I'm pretty sure "dnssec-enable no" does suppress the DO bit. If it
doesn't, that's probably a bug.
Yeah,
> >If it doesn't, though, try "edns no". You can't have a DO bit if you
> >don't have a place to put one.
>
> This seems a bit like "my left leg hurts, so i stabbed my right leg".
Exactly. Now you aren't lopsided.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
On Fri, 4 Jun 2010, Evan Hunt wrote:
I'm pretty sure "dnssec-enable no" does suppress the DO bit. If it
doesn't, that's probably a bug.
Yeah, I thought the default changed when all those NAT routers proved buggy.
If it doesn't, though, try "edns no". You can't have a DO bit if you
don't ha
On Fri, Jun 04, 2010 at 05:36:21PM +0200, Jan Buchholz wrote:
> i mean the parameter is the default.
Actually, since 9.5.0, the default has been "dnssec-validation yes".
(Note, however, that DNSSEC validation doesn't occur unless the resolver
has a trust anchor configured. So you there has to be
tner, Jeff
Cc: bind-users@lists.isc.org
Subject: Re: disable dnssec in bind resolver
i mean the parameter is the default.
my problem is, if a client want to resolve a ip-address from my
bind-server, the resolver set for some domains the D0 flag for the
question. And this behaviour don´t like m
e way you expect or you wouldn't have asked.
>
> -Original Message-
> From: bind-users-bounces+jlightner=water@lists.isc.org
> [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of
> Jan Buchholz
> Sent: Friday, June 04, 2010 10:50 AM
> To: Paul Wo
sers@lists.isc.org
Subject: Re: disable dnssec in bind resolver
2010/6/4 Paul Wouters :
> On Fri, 4 Jun 2010, Jan Buchholz wrote:
>
>> how i can disable dnssec in the bind resolver ? My firewall don´t let
>> packets with D0 flag through. I´ve tried 'dnssec-enable no;' ,
2010/6/4 Paul Wouters :
> On Fri, 4 Jun 2010, Jan Buchholz wrote:
>
>> how i can disable dnssec in the bind resolver ? My firewall don´t let
>> packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but
>> this don´t fix the problem.
>
> I bel
On Fri, 4 Jun 2010, Jan Buchholz wrote:
how i can disable dnssec in the bind resolver ? My firewall don´t let
packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but
this don´t fix the problem.
I believe that only disables *serving* DNSSEC records.
I think you wa
hello together,
how i can disable dnssec in the bind resolver ? My firewall don´t let
packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but
this don´t fix the problem.
Thanks,
Jan
___
bind-users mailing list
bind-users@lists.isc
90 matches
Mail list logo
