Re: proper setup of dnssec-validation to _always_ resolve, and retrieve DATA and status flags ?

Mon, 09 May 2011 20:30:04 -0700 

On 05/09/2011 19:32, dchilton+b...@bestmail.us wrote:

Hi.

My bind v980-p1 svr is DNSSEC-enabled, and signed zones are publishing
as DNSSEC-valid.

I've both internal and external views:

-- internal is authoritative and provides recursion for LAN clients
-- external serves only as an authoritative hidden-primary feeding
slaves via AXFR.
Step 1 should be to separate those functions into separate processes. You're adding completely unnecessary complexity trying to shoehorn 2 substantially different features into the same process. 


for known-bad domains 'dig domain.com' hesitates for a bit, then returns
SERVFAIL -- no DATA.
It's not clear at all what you are defining as "known bad" here. www.adobe.com resolves just fine for me with or without +dnssec because adobe.com is not signed. 


Shouldn't the "+dnssec" case for known-bad be returning DATA?
Known-bad in DNSSEC terms means a domain that is signed, but the signatures do not validate. In that case the queries should not return data. 


Also, I'm unlcear about the proper use for validation.  I *want* to
validate, but have the DATA nonetheless returned, with appropriate FLAGS
so that, e.g., Firefox + DNSSEC-extension can (1) resolve the domain,
and (2) 'report' the DNSSEC state in-browser.


That's not at all how DNSSEC works, see above.


The way things are working now, with validation enabled and NO DATA
returned, domains simply don't resolve at all -- and, of course, the
browser displays a failure.

Is my expected usage _not_ appropriate?
No, it isn't; however the fact that un-signed domains aren't returning data either is a problem. Split the features you described above into separate servers, remove the views stuff on the resolver, and try again. 


hth,

Doug

--

        Nothin' ever doesn't change, but nothin' changes much.
                        -- OK Go

        Breadth of IT experience, and depth of knowledge in the DNS.
        Yours for the right price.  :)  http://SupersetSolutions.com/

_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to