On Sun, Aug 31, 2014 at 09:06:24PM +0200, Peter Bauer wrote:
> As resolver I have Bind:
> # cat /etc/resolv.conf
> nameserver 10.0.3.1
>
> And on 10.0.3.1 I have this:
> forwarders {
> 213.133.98.98;
> 213.133.99.99;
> 213.133.100.100;
> };
Do you control these forwarders? If not you probably do not want
them. As you seem to be running on a virtual host, I probably would
run named on a physical host at the same site, or perhaps on another
virtual host. Then simply point the resolv.conf at it, and do away
with this instance of named.
> dnssec-enable yes;
This is a default setting; you can take it out. It means your named
understands the DNSSEC RRtypes.
> dnssec-validation auto;
This is what actually does the work.
> dnssec-lookaside auto;
This does some of the work too, unfortunately; 4 years after the
signing of the root zone, DLV is still too important.
> Is it possible that forwarders has more priority than the DNSSEC
> options of bind?
You're either forwarding first or only, with global forwarders. If
your forwarders don't support DNSSEC, you get non-DNSSEC answers.
There are other very good reasons why not to use forwarders outside
your control, although if they do support DNSSEC they can't get away
with spoofing records in signed zones.
On Sun, Aug 31, 2014 at 09:11:20PM +0200, Peter Bauer wrote:
> I will check how to change the configuration of the LXC DNS server
> that it resolves too DNSSEC or I will update my /etc/resolve.conf
> file on the LXC guest system to ask directly my bind server.
Very recent versions of dnsmasq do support DNSSEC, but indeed, just
point at your non-forwarding named server and all is well.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
