rbldnsd and DNSSEC compatibility issues - any suggestions?

Thu, 10 Sep 2020 08:57:23 -0700

I manage an anti-spam DNSBL and I've been running into an issue in recent years - that I'm FINALLY getting around to asking about. I just joined this list to ask this question. Also, I checked the archives, but couldn't find an answer - at least, not one I understood.
So basically, while most of our users do direct queries and don't have this issue - some of our larger subscribers RSYNC the rbldsnd-formatted files, and then they typically run rbldnsd on the same server as their BIND server that is answering their DNSBL queries. Then, their invaluement zone names will all end with "invaluement.local". Typically, their RBLDNSD server is set up to listen on 127.0.0.2 - and then they use BIND for answering their DNSBL queries, and so they tell BIND to get its answers for THOSE invaluement dnsbl queries by doing a DNS forwarder, telling bind to get the answers for THOSE zones from 127.0.0.2 - as shown below: 

zone "invaluement.local" in {
  type forward;
  forward only;
  forwarders { 127.0.0.2; };
};


This works perfectly - so long as DNSSEC is turned off. And since most 
of our subscribers are running a dedicated instance of BIND that is ONLY 
used for DNSBL queries, they don't mind turning DNSSEC off.



But, occasionally, we have a customer who cannot turn DNSSEC off. So I 
was hoping that THIS command would work:


dnssec-must-be-secure "invaluement.local" no;


But it doesn't seem to be helping at all. Is that command suppose to 
disable DNSSEC checking for a particular zone? If yes, what did I do 
wrong? If not, what /does/ "dnssec-must-be-secure" set to "no" do?



I've heard that there is NOT a way to get this to work - and that such 
subscribers much use DNS Delegation, instead. But I really wish this 
could be done by simply turning off DNSSEC for a /particular/ zone. That 
could be useful for MANY various types of internal zones that need this. 
But if this is that case, how would that DNS Delegation look, to get the 
above forwarding example to work using delegation instead?


Thanks in advance for your help!

-- Rob McEwen, invaluement


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to