> -Ursprüngliche Nachricht-
> Von: Evan Hunt [mailto:e...@isc.org]
>
> On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote:
> > I'm just wondering, is an option like unbound's "domain-insecure"
> > intentionally not implemented in in BIND? Or did just nobody care
> > enough to
>
>If the zone isn't signed, it shouldn't be trying to validate it as there's
>nothing to validate. Unless this fictional TLD now has a real delegated
>counter-part?
>
>Stuart
Just for clarification:
If a TLD does not exist, it can neither be signed nor unsigned.
And, officially, the mentioned
NSEC.
W
On Wed, Jan 14, 2015 at 5:12 PM, Stuart Browne
wrote:
>> Unfortunately we can't sign the fictional TLD, since we are neither master
>> nor slave of the zone.
>> We are just forwarding our queries to a foreign authorative Server.
>>
>> Grüße,
>> Stefan
>
> If the zone isn't signed, it shou
> Unfortunately we can't sign the fictional TLD, since we are neither master
> nor slave of the zone.
> We are just forwarding our queries to a foreign authorative Server.
>
> Grüße,
> Stefan
If the zone isn't signed, it shouldn't be trying to validate it as there's
nothing to validate. Unless
Hi Daniel,
> You may also try to disable all DNSSEC algorithms for a zone:
> https://lists.dns-oarc.net/pipermail/dns-operations/2014-October/012282.html
>
> Regards,
> Daniel
Also a nice idea for a workaround :) But it did not work for me.
This is what I tried:
Options {
>> Our customer uses a fictional Toplevel Domain[...]
>
> Can you flip the problem on its head, by signing the fictional TLD and
> deploying managed-keys (or trusted-keys) on the validating resolvers?
>
> Graham
Unfortunately we can't sign the fictional TLD, since we are neither master nor
slave
On 14/01/2015 09:34, stefan.las...@t-systems.com wrote:
> Our customer uses a fictional Toplevel Domain[...]
Can you flip the problem on its head, by signing the fictional TLD and
deploying managed-keys (or trusted-keys) on the validating resolvers?
Graham
___
Hi Chris,
> While you wait for this to become generally available, you can do what I like
> to do for my customers: Use two layers of recursive DNS servers. The first
> layer takes queries from clients, knows about your insecure domains
> (through stub zones, slave zones, or conditional forwardi
ff: Re: Disable DNSSEC Validation for selected Domains
On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote:
> I'm just wondering, is an option like unbound's "domain-insecure"
> intentionally not implemented in in BIND? Or did just nobody care
> enough to implem
On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote:
> I'm just wondering, is an option like unbound's "domain-insecure"
> intentionally not implemented in in BIND? Or did just nobody care
> enough to implement it yet?
I have resisted implementing it because it's too easy for an operato
On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote:
> I know that BIND has no feature to disable DNSSEC validation for selected
> Zones/Domains (when working as a recursor).
> One can only enable/disable DNSSEC validation globally per view (as a boolean
> on/off).
[...]
> I'm just
Hello Stefan
You may also try to disable all DNSSEC algorithms for a zone:
https://lists.dns-oarc.net/pipermail/dns-operations/2014-October/012282.html
Regards,
Daniel
On 13.01.15 14:53, stefan.las...@t-systems.com wrote:
> Hi Mukund
>
> and thanks a lot for pointing that out!
> It is already
Hi Mukund
and thanks a lot for pointing that out!
It is already more than I was hoping for :)
Regards,
Stefan
> BIND will get support for negative trust anchors in 9.11, which will provide
> the feature that you seek. An implementation is now in the master branch.
>
> https://tools.ietf.org
Hi Stefen
On Tue, Jan 13, 2015 at 11:35:26AM +0100, stefan.las...@t-systems.com wrote:
> Some of the internal Domains of our customers will fail the
> proof-of-non-existence. While this is technically correct, we still
> need access to their internal Domain to do our business... So the
> current
stefan.las...@t-systems.com wrote:
>
> I know that BIND has no feature to disable DNSSEC validation for
> selected Zones/Domains (when working as a recursor).
BIND 9.11 will have negative trust anchors.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Fair Isle: Southwest 6 to gale 8, occasionall
Hi @all,
I know that BIND has no feature to disable DNSSEC validation for selected
Zones/Domains (when working as a recursor).
One can only enable/disable DNSSEC validation globally per view (as a boolean
on/off).
I found that Microsoft's DNS Server has a feature to skip the validation for
som
16 matches
Mail list logo