On Fri, Jun 04, 2010 at 05:36:21PM +0200, Jan Buchholz wrote: > i mean the parameter is the default.
Actually, since 9.5.0, the default has been "dnssec-validation yes". (Note, however, that DNSSEC validation doesn't occur unless the resolver has a trust anchor configured. So you there has to be a "trusted-keys" statement, a "managed-keys statement", or the "dnssec-lookaside auto" option, or your resolver won't validate.) Unfortunately, turning off validation won't help. A non-validating recursive resolver still sets the DO bit--all that bit means is "go ahead and send me DNSSEC data, it won't hurt me"). I'm pretty sure "dnssec-enable no" does suppress the DO bit. If it doesn't, that's probably a bug. If it doesn't, though, try "edns no". You can't have a DO bit if you don't have a place to put one. And, fix the broken firewall as soon as possible. :) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
