On Sun, Mar 28, 2010 at 11:48:37PM +0100, I wrote:
A couple of weeks ago I upgraded my BINDs to 9.7.0 and enabled DLV.
This is my first time attemting to validate DNSSEC; however, I've been
seeing intermittent failures to resolve domains under .org which have
been frequent enough to force me
Well, FWIW I upgraded to 9.7.0-P1 and tried enabling DLV again and
I've seen no repeat of the DNSSEC name resolution issues so far; it's
early days yet (only been running DLV for three days) but certainly
looking promissing.
I spoke too soon. I've now found a query that (at least this
dig www.bbc.net.uk +cd
How does the last query work?
What I meant by that, in case it wasn't clear, was that setting the CD
flag in the query caused it query to succeed, hence strongly
suggesting that the cause of the failure in the original query was
related to DNSSEC
In message 20100414232855.gp1...@giles.gnomon.org.uk, Roy Badami writes:
Well, FWIW I upgraded to 9.7.0-P1 and tried enabling DLV again and
I've seen no repeat of the DNSSEC name resolution issues so far; it's
early days yet (only been running DLV for three days) but certainly
looking
I have seen this happen when bind for some reason (eg mtu issues with
vpn) cannot query for the DLV key at dlv.isc.org. I have not figured
out the exact failure mode there. Check the logs to see errors for DNSKEY
queries for dlv.isc.org to see if this is happening here too. However in
In article mailman.983.1269884152.21153.bind-us...@lists.isc.org,
Roy Badami r...@gnomon.org.uk wrote:
I have seen this happen when bind for some reason (eg mtu issues with
vpn) cannot query for the DLV key at dlv.isc.org. I have not figured
out the exact failure mode there. Check the logs
On 2010/03/28, at 18:48, Roy Badami wrote:
configured). The queries are resulting in SERVFAIL, and I'm pretty
sure the failures are DNSSEC-related, as when I've seen problems as
they occur (dig failing from the command line) then repeating the
query with the CD bit allowed it to succeed.
It looks to me like your example, freebsd.org, is insecure.
Yes, I agree freebsd.org is insecure, but I still want to be able to
resolve it :-)
.org is signed with NSEC3 and (I think, but could be misremembering)
is using opt-out. org is registered in DLV, so BIND still has to do
some work
On Mon, 29 Mar 2010, Matthew Pounsett wrote:
On 2010/03/28, at 18:48, Roy Badami wrote:
configured). The queries are resulting in SERVFAIL, and I'm pretty
sure the failures are DNSSEC-related, as when I've seen problems as
they occur (dig failing from the command line) then repeating the
Yes, I agree freebsd.org is insecure, but I still want to be able to
resolve it :-)
The point was, you should not be getting DNSSEC-related errors from
a domain that is not secured.
I disagree. In order for a validating resolver to resolve freebsd.org
(or any other insecure domain under
I have seen this happen when bind for some reason (eg mtu issues with
vpn) cannot query for the DLV key at dlv.isc.org. I have not figured
out the exact failure mode there. Check the logs to see errors for DNSKEY
queries for dlv.isc.org to see if this is happening here too. However in
that
11 matches
Mail list logo