On Thu, 2020-09-10 at 11:56 -0400, Rob McEwen wrote:
> I manage an anti-spam DNSBL and I've been running into an issue in recent 
> years - that I'm FINALLY getting around to asking about. I just joined this 
> list to ask this question. Also, I checked the archives, but couldn't find an 
> answer - at least, not one I understood.
> So basically, while most of our users do direct queries and don't have this 
> issue - some of our larger subscribers RSYNC the rbldsnd-formatted files, and 
> then they typically run rbldnsd on the same server as their BIND server that 
> is answering their DNSBL queries. Then, their invaluement zone names will all 
> end with "invaluement.local". Typically, their RBLDNSD server is set up to 
> listen on 127.0.0.2 - and then they use BIND for answering their DNSBL 
> queries, and so they tell BIND to get its answers for THOSE invaluement dnsbl 
> queries by doing a DNS forwarder, telling bind to get the answers for THOSE 
> zones from 127.0.0.2 - as shown below:
> zone "invaluement.local" in {
>   type forward;
>   forward only;
>   forwarders { 127.0.0.2; };
> };
>
> This works perfectly - so long as DNSSEC is turned off. And since most of our 
> subscribers are running a dedicated instance of BIND that is ONLY used for 
> DNSBL queries, they don't mind turning DNSSEC off.
> But, occasionally, we have a customer who cannot turn DNSSEC off. So I was 
> hoping that THIS command would work:
> dnssec-must-be-secure "invaluement.local" no;
> But it doesn't seem to be helping at all. Is that command suppose to disable 
> DNSSEC checking for a particular zone? If yes, what did I do wrong? If not, 
> what does "dnssec-must-be-secure" set to "no" do?
> I've heard that there is NOT a way to get this to work - and that such 
> subscribers much use DNS Delegation, instead. But I really wish this could be 
> done by simply turning off DNSSEC for a particular zone. That could be useful 
> for MANY various types of internal zones that need this. But if this is that 
> case, how would that DNS Delegation look, to get the above forwarding example 
> to work using delegation instead?
> Thanks in advance for your help!


Just a thought, but ARM says:

dnssec-must-be-secure
   Specify hierarchies which must be or may not be secure (signed and 
validated). If yes,
   then named will only accept answers if they are secure. If no, then normal 
DNSSEC
   validation applies allowing for insecure answers to be accepted. The 
specified domain
   must be defined as a trust anchor, for instance in a trust-anchors 
statement, or dnssec-
   validation auto must be active.


You might want to try adding "dnssec-validation auto" to the zone stanza.

zone "invaluement.local" in {
   type forward;
   forward only;
   forwarders { 127.0.0.2; };
   dnssec-validation auto;
};


-Jim P.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to