Re: Disable DNSSEC Validation for selected Domains
On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote: > I'm just wondering, is an option like unbound's "domain-insecure" > intentionally not implemented in in BIND? Or did just nobody care > enough to implement it yet? I have resisted implementing it because it's too easy for an operator to forget they knocked a hole in their DNSSEC protections, and leave the hole in place long after it stopped being useful. The negative trust anchor implementation that will be released in 9.11 corrects for this with built-in term limits. NTAs are added via rndc, and they expire and are removed after a relatively short lifespan, not exceeding a week. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
AW: Disable DNSSEC Validation for selected Domains
Hm... In our case a short lifespan won't be enough. Our customer uses a fictional Toplevel Domain and migrating the whole Infrastructure to a new, proper Domain will take him months if not years. They'll have to adjust every DNS Config of every Server, every Webservice they have running internally, all Documentations etc... I wouldn't be surprised if they are not even aware of the problem, yet. Regards, Stefan -Ursprüngliche Nachricht- Von: Evan Hunt [mailto:e...@isc.org] Gesendet: Mittwoch, 14. Januar 2015 09:13 An: Lasche, Stefan Cc: BIND Users Betreff: Re: Disable DNSSEC Validation for selected Domains On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote: > I'm just wondering, is an option like unbound's "domain-insecure" > intentionally not implemented in in BIND? Or did just nobody care > enough to implement it yet? I have resisted implementing it because it's too easy for an operator to forget they knocked a hole in their DNSSEC protections, and leave the hole in place long after it stopped being useful. The negative trust anchor implementation that will be released in 9.11 corrects for this with built-in term limits. NTAs are added via rndc, and they expire and are removed after a relatively short lifespan, not exceeding a week. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
AW: Disable DNSSEC Validation for selected Domains
Hi Chris, > While you wait for this to become generally available, you can do what I like > to do for my customers: Use two layers of recursive DNS servers. The first > layer takes queries from clients, knows about your insecure domains > (through stub zones, slave zones, or conditional forwarding), and does not > perform DNSSEC validation. The first layer globally forwards to the second > layer, which does DNSSEC validation and recursion. Funny thing is, that I have tried something similar already, placing a validating server in the first layer and forwarding problematic Domains to a non-validating server in the second layer. This didn't help. Now that I read your message, I see that it should have been the other way around to make it work ;) Regards, Stefan ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: AW: Disable DNSSEC Validation for selected Domains
On 14/01/2015 09:34, stefan.las...@t-systems.com wrote: > Our customer uses a fictional Toplevel Domain[...] Can you flip the problem on its head, by signing the fictional TLD and deploying managed-keys (or trusted-keys) on the validating resolvers? Graham ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
AW: AW: Disable DNSSEC Validation for selected Domains
>> Our customer uses a fictional Toplevel Domain[...] > > Can you flip the problem on its head, by signing the fictional TLD and > deploying managed-keys (or trusted-keys) on the validating resolvers? > > Graham Unfortunately we can't sign the fictional TLD, since we are neither master nor slave of the zone. We are just forwarding our queries to a foreign authorative Server. Grüße, Stefan ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
AW: Disable DNSSEC Validation for selected Domains
Hi Daniel,
> You may also try to disable all DNSSEC algorithms for a zone:
> https://lists.dns-oarc.net/pipermail/dns-operations/2014-October/012282.html
>
> Regards,
> Daniel
Also a nice idea for a workaround :) But it did not work for me.
This is what I tried:
Options {
forward only;
forwarders {
x.x.x.x;
}
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;
disable-algorithms "example." { "RSAMD5"; "RSA"; "DH"; "DSA";
"NSEC3DSA"; "ECC"; "RSASHA1"; "NSEC3RSASHA1"; "RSASHA256"; "RSASHA512";
"ECCGOST"; };
}
zone "example" IN {
type forward;
forward only;
forwarders { y.y.y.y; };
};
But BIND still tries to validate and fails...
Regards,
Stefan
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
reject invalid dns queries
Hello, Is there any solution to drop the invalid DNS queries from the BIND configuration? Regards Daniel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reject invalid dns queries
Perhaps if you explained a little more clearly what you are trying to accomplish you might get more replies... What are "invalid DNS queries"? What are they in the configuration? On Wed, Jan 14, 2015 at 5:53 AM, Daniel Dawalibi wrote: > Hello, > > > > > > Is there any solution to drop the invalid DNS queries from the BIND > configuration? > > > > > > > > Regards > > Daniel > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: AW: Disable DNSSEC Validation for selected Domains
> Unfortunately we can't sign the fictional TLD, since we are neither master > nor slave of the zone. > We are just forwarding our queries to a foreign authorative Server. > > Grüße, > Stefan If the zone isn't signed, it shouldn't be trying to validate it as there's nothing to validate. Unless this fictional TLD now has a real delegated counter-part? Stuart > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: AW: Disable DNSSEC Validation for selected Domains
NSEC. W On Wed, Jan 14, 2015 at 5:12 PM, Stuart Browne wrote: >> Unfortunately we can't sign the fictional TLD, since we are neither master >> nor slave of the zone. >> We are just forwarding our queries to a foreign authorative Server. >> >> Grüße, >> Stefan > > If the zone isn't signed, it shouldn't be trying to validate it as there's > nothing to validate. Unless this fictional TLD now has a real delegated > counter-part? > > Stuart > >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
