On 8/18/2010 8:30 AM, Phil Mayers wrote:
On 18/08/10 13:15, Lightner, Jeff wrote:
It comes right up in Firefox but prompts for a username and password.
Do you have DNSSEC validation enabled? Because as per my email, it's a
DNSSEC problem.
After a bit of investigation, it seems that the problem is a missing
NSEC/NSEC3 record in the empty reply for:
$ dig +dnssec @165.112.4.230 ncbi.nlm.nih.gov ds
...since the "ncbi" zone is an unsigned child zone, there needs to be an
NSEC/NSEC3 record to prove the absence of the DS record, and have a
secure delegation to an unsigned child zone.
It sounds to me like DNSSEC validation is working as designed. If your
DNS server's users are complaining about not being able to resolve
something that fails validation, the question you need to ask is do your
end-users really want you to do DNSSEC validation for them?
If you're asking for a workaround for when validation fails, there's not
much point to doing the validation.
--
Dave
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
