On Thu, 2020-09-10 at 13:50 -0400, Jim Popovitch via bind-users wrote:
> On Thu, 2020-09-10 at 11:56 -0400, Rob McEwen wrote:
> > I manage an anti-spam DNSBL and I've been running into an issue in recent 
> > years - that I'm FINALLY getting around to asking about. I just joined this 
> > list to ask this question. Also, I checked the archives, but couldn't find 
> > an answer - at least, not one I understood.
> > So basically, while most of our users do direct queries and don't have this 
> > issue - some of our larger subscribers RSYNC the rbldsnd-formatted files, 
> > and then they typically run rbldnsd on the same server as their BIND server 
> > that is answering their DNSBL queries. Then, their invaluement zone names 
> > will all end with "invaluement.local". Typically, their RBLDNSD server is 
> > set up to listen on 127.0.0.2 - and then they use BIND for answering their 
> > DNSBL queries, and so they tell BIND to get its answers for THOSE 
> > invaluement dnsbl queries by doing a DNS forwarder, telling bind to get the 
> > answers for THOSE zones from 127.0.0.2 - as shown below:
> > zone "invaluement.local" in {
> >   type forward;
> >   forward only;
> >   forwarders { 127.0.0.2; };
> > };
> > 
> > This works perfectly - so long as DNSSEC is turned off. And since most of 
> > our subscribers are running a dedicated instance of BIND that is ONLY used 
> > for DNSBL queries, they don't mind turning DNSSEC off.
> > But, occasionally, we have a customer who cannot turn DNSSEC off. So I was 
> > hoping that THIS command would work:
> > dnssec-must-be-secure "invaluement.local" no;
> > But it doesn't seem to be helping at all. Is that command suppose to 
> > disable DNSSEC checking for a particular zone? If yes, what did I do wrong? 
> > If not, what does "dnssec-must-be-secure" set to "no" do?
> > I've heard that there is NOT a way to get this to work - and that such 
> > subscribers much use DNS Delegation, instead. But I really wish this could 
> > be done by simply turning off DNSSEC for a particular zone. That could be 
> > useful for MANY various types of internal zones that need this. But if this 
> > is that case, how would that DNS Delegation look, to get the above 
> > forwarding example to work using delegation instead?
> > Thanks in advance for your help!
> 
> Just a thought, but ARM says:
> 
> dnssec-must-be-secure
>    Specify hierarchies which must be or may not be secure (signed and 
> validated). If yes,
>    then named will only accept answers if they are secure. If no, then normal 
> DNSSEC
>    validation applies allowing for insecure answers to be accepted. The 
> specified domain
>    must be defined as a trust anchor, for instance in a trust-anchors 
> statement, or dnssec-
>    validation auto must be active.
> 
> 
> You might want to try adding "dnssec-validation auto" to the zone stanza.
> 
> zone "invaluement.local" in {
>    type forward;
>    forward only;
>    forwarders { 127.0.0.2; };
>    dnssec-validation auto;
> };

In retrospect that won't work.  dnssec-validation can only be used in
options or views.  Maybe try using a view?

-Jim P.



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to