On Thu, 2020-09-10 at 13:50 -0400, Jim Popovitch via bind-users wrote: > On Thu, 2020-09-10 at 11:56 -0400, Rob McEwen wrote: > > I manage an anti-spam DNSBL and I've been running into an issue in recent > > years - that I'm FINALLY getting around to asking about. I just joined this > > list to ask this question. Also, I checked the archives, but couldn't find > > an answer - at least, not one I understood. > > So basically, while most of our users do direct queries and don't have this > > issue - some of our larger subscribers RSYNC the rbldsnd-formatted files, > > and then they typically run rbldnsd on the same server as their BIND server > > that is answering their DNSBL queries. Then, their invaluement zone names > > will all end with "invaluement.local". Typically, their RBLDNSD server is > > set up to listen on 127.0.0.2 - and then they use BIND for answering their > > DNSBL queries, and so they tell BIND to get its answers for THOSE > > invaluement dnsbl queries by doing a DNS forwarder, telling bind to get the > > answers for THOSE zones from 127.0.0.2 - as shown below: > > zone "invaluement.local" in { > > type forward; > > forward only; > > forwarders { 127.0.0.2; }; > > }; > > > > This works perfectly - so long as DNSSEC is turned off. And since most of > > our subscribers are running a dedicated instance of BIND that is ONLY used > > for DNSBL queries, they don't mind turning DNSSEC off. > > But, occasionally, we have a customer who cannot turn DNSSEC off. So I was > > hoping that THIS command would work: > > dnssec-must-be-secure "invaluement.local" no; > > But it doesn't seem to be helping at all. Is that command suppose to > > disable DNSSEC checking for a particular zone? If yes, what did I do wrong? > > If not, what does "dnssec-must-be-secure" set to "no" do? > > I've heard that there is NOT a way to get this to work - and that such > > subscribers much use DNS Delegation, instead. But I really wish this could > > be done by simply turning off DNSSEC for a particular zone. That could be > > useful for MANY various types of internal zones that need this. But if this > > is that case, how would that DNS Delegation look, to get the above > > forwarding example to work using delegation instead? > > Thanks in advance for your help! > > Just a thought, but ARM says: > > dnssec-must-be-secure > Specify hierarchies which must be or may not be secure (signed and > validated). If yes, > then named will only accept answers if they are secure. If no, then normal > DNSSEC > validation applies allowing for insecure answers to be accepted. The > specified domain > must be defined as a trust anchor, for instance in a trust-anchors > statement, or dnssec- > validation auto must be active. > > > You might want to try adding "dnssec-validation auto" to the zone stanza. > > zone "invaluement.local" in { > type forward; > forward only; > forwarders { 127.0.0.2; }; > dnssec-validation auto; > };
In retrospect that won't work. dnssec-validation can only be used in options or views. Maybe try using a view? -Jim P. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users