At Fri, 4 Jun 2010 16:50:26 +0200,
Jan Buchholz <96de...@googlemail.com> wrote:
> >> how i can disable dnssec in the bind resolver ? My firewall don´t let
> >> packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but
> >> this don´t fix the problem.
> >
> > I believe that only disables *serving* DNSSEC records.
> >
> > I think you want 'dnssec-validation no;'
> sorry, 'dnssec-validation no;' is already configured, because that´s
> the default.
The DO bit is always set whenever the server includes an EDNS OPT RR
(I thought it was based on the specification, but don't remember which
sentence of which RFC says so).
So, your only choice is to completely disable EDNS:
server ::/0 {
edns no;
};
server 0.0.0.0/0 {
edns no;
};
As others said, however, I'd rather say "the fix is to upgrade/replace
the broken firewall". Please consider it only for a short term
workaround and seriously consider fixing the real problem.
---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
