On Thu, 2020-09-10 at 13:50 -0400, Jim Popovitch via bind-users wrote:
> On Thu, 2020-09-10 at 11:56 -0400, Rob McEwen wrote:
> > I manage an anti-spam DNSBL and I've been running into an issue in recent
> > years - that I'm FINALLY getting around to asking about. I just joined this
> > list to ask this question. Also, I checked the archives, but couldn't find
> > an answer - at least, not one I understood.
> > So basically, while most of our users do direct queries and don't have this
> > issue - some of our larger subscribers RSYNC the rbldsnd-formatted files,
> > and then they typically run rbldnsd on the same server as their BIND server
> > that is answering their DNSBL queries. Then, their invaluement zone names
> > will all end with "invaluement.local". Typically, their RBLDNSD server is
> > set up to listen on 127.0.0.2 - and then they use BIND for answering their
> > DNSBL queries, and so they tell BIND to get its answers for THOSE
> > invaluement dnsbl queries by doing a DNS forwarder, telling bind to get the
> > answers for THOSE zones from 127.0.0.2 - as shown below:
> > zone "invaluement.local" in {
> > type forward;
> > forward only;
> > forwarders { 127.0.0.2; };
> > };
> >
> > This works perfectly - so long as DNSSEC is turned off. And since most of
> > our subscribers are running a dedicated instance of BIND that is ONLY used
> > for DNSBL queries, they don't mind turning DNSSEC off.
> > But, occasionally, we have a customer who cannot turn DNSSEC off. So I was
> > hoping that THIS command would work:
> > dnssec-must-be-secure "invaluement.local" no;
> > But it doesn't seem to be helping at all. Is that command suppose to
> > disable DNSSEC checking for a particular zone? If yes, what did I do wrong?
> > If not, what does "dnssec-must-be-secure" set to "no" do?
> > I've heard that there is NOT a way to get this to work - and that such
> > subscribers much use DNS Delegation, instead. But I really wish this could
> > be done by simply turning off DNSSEC for a particular zone. That could be
> > useful for MANY various types of internal zones that need this. But if this
> > is that case, how would that DNS Delegation look, to get the above
> > forwarding example to work using delegation instead?
> > Thanks in advance for your help!
>
> Just a thought, but ARM says:
>
> dnssec-must-be-secure
> Specify hierarchies which must be or may not be secure (signed and
> validated). If yes,
> then named will only accept answers if they are secure. If no, then normal
> DNSSEC
> validation applies allowing for insecure answers to be accepted. The
> specified domain
> must be defined as a trust anchor, for instance in a trust-anchors
> statement, or dnssec-
> validation auto must be active.
>
>
> You might want to try adding "dnssec-validation auto" to the zone stanza.
>
> zone "invaluement.local" in {
> type forward;
> forward only;
> forwarders { 127.0.0.2; };
> dnssec-validation auto;
> };
In retrospect that won't work. dnssec-validation can only be used in
options or views. Maybe try using a view?
-Jim P.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
