> The DO bit is always set whenever the server includes an EDNS OPT RR
> (I thought it was based on the specification, but don't remember which
> sentence of which RFC says so).
I was taken aback to read this, because I remembered seeing code in named
that clears the DO bit if "dnssec-enable" is "
Doug Barton writes:
> On 06/04/10 19:40, Paul Vixie wrote:
>> ...
>>
>> unless a new IETF RFC comes along and disambiguates the meaning of "DO"
>> such that it's only to be set if the requestor thinks it has a
>> reasonable shot at validating the resulting metadata, i expect BIND to
>> keep sett
On 06/04/10 19:40, Paul Vixie wrote:
Doug Barton writes:
I have a guess at why ISC would want to enable it by default, and even in
the presence of an option to turn it off I'm still Ok with that default.
But if it's not a standards requirement to have it on, giving the admin a
choice would be
Doug Barton writes:
> I have a guess at why ISC would want to enable it by default, and even in
> the presence of an option to turn it off I'm still Ok with that default.
> But if it's not a standards requirement to have it on, giving the admin a
> choice would be a welcome thing.
this was, as y
In message , kebba.foon
@qcell.gm writes:
> Dear list
> am using BIND 9.5.1-P3 recently am been have lots of issues with my cache
> server. at one point it was not resolving any queries. please help, this
> is the log that keeps showing up on my server,
>
> 04-Jun-2010 19:20:47.200 security: warn
On 06/04/10 11:19, JINMEI Tatuya / 神明達哉 wrote:
The DO bit is always set whenever the server includes an EDNS OPT RR
(I thought it was based on the specification, but don't remember which
sentence of which RFC says so).
Given that concern about whether or not it's a good idea to always send
DO=
Dear list
am using BIND 9.5.1-P3 recently am been have lots of issues with my cache
server. at one point it was not resolving any queries. please help, this
is the log that keeps showing up on my server,
04-Jun-2010 19:20:47.200 security: warning: client 41.223.214.27#8222: RFC
1918 response from
> First, dns-validation is 'off' by default in all BIND versions. It's
> dnssec-enable that started defaulting to 'yes'.
Correct in the sense that there are no configured trust anchors, so
validation doesn't happen.
Incorrect in the sense that the "dnssec-validation" option *is* turned on
by defa
At Fri, 4 Jun 2010 16:50:26 +0200,
Jan Buchholz <96de...@googlemail.com> wrote:
> >> how i can disable dnssec in the bind resolver ? My firewall don´t let
> >> packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but
> >> this don´t fix the problem.
> >
> > I believe that only disables *
On 6/4/2010 1:52 PM, R. Kevin Oberman wrote:
> First, dns-validation is 'off' by default in all BIND versions. It's
> dnssec-enable that started defaulting to 'yes'.
No, it isn't. The only reason that dnssec-validation appears "off" is
that without trust anchors, it doesn't do anything. Insert
This thread has gotten bogged down in silliness. (Not referring to Paul's
message).
First, dns-validation is 'off' by default in all BIND versions. It's
dnssec-enable that started defaulting to 'yes'.
Second, your firewall is simply broken. You will continue to have problems with
DNS until you
On Fri, Jun 4, 2010 at 9:10 AM, Evan Hunt wrote:
> The way it's supposed to work is: you add the new NSEC3PARAM record,
> then wait for the new NSEC3 chain to be built. The newly inserted record
> will, at first, have its "flags" field set to a nonzero value; this
> indicates that the chain isn'
> >If it doesn't, though, try "edns no". You can't have a DO bit if you
> >don't have a place to put one.
>
> This seems a bit like "my left leg hurts, so i stabbed my right leg".
Exactly. Now you aren't lopsided.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
On Fri, 4 Jun 2010, Evan Hunt wrote:
I'm pretty sure "dnssec-enable no" does suppress the DO bit. If it
doesn't, that's probably a bug.
Yeah, I thought the default changed when all those NAT routers proved buggy.
If it doesn't, though, try "edns no". You can't have a DO bit if you
don't ha
> The first one, can I configure multiple key directories? The reasoning
> for this is that I would like to seperate the KSK's from the ZSK's.
No, you can't... but that's an interesting idea. Right now it's a single
key directory per zone.
> The second question. I've tried doing a resalt using d
On Fri, Jun 04, 2010 at 05:36:21PM +0200, Jan Buchholz wrote:
> i mean the parameter is the default.
Actually, since 9.5.0, the default has been "dnssec-validation yes".
(Note, however, that DNSSEC validation doesn't occur unless the resolver
has a trust anchor configured. So you there has to be
You didn't answer my question. Telling me it is the default is simply
regurgitating what you said before.
Is it in your named.conf? That's a yes/no question.
-Original Message-
From: Jan Buchholz [mailto:96de...@googlemail.com]
Sent: Friday, June 04, 2010 11:36 AM
To: Lightner, Jeff
C
i mean the parameter is the default.
my problem is, if a client want to resolve a ip-address from my
bind-server, the resolver set for some domains the D0 flag for the
question. And this behaviour don´t like my firewall.
Jan
2010/6/4 Lightner, Jeff :
> I don't understand that.
>
> Are you saying
I don't understand that.
Are you saying that "dnsec-validation no;" is in your named.conf or are you
saying you don't believe it is necessary to set it there because by default
validation is off? If the latter what does it hurt to try it? Obviously
something isn't working the way you expect o
On Fri, Jun 4, 2010 at 3:11 AM, Tim Verhoeven wrote:
>
> The second question. I've tried doing a resalt using dynamic updates
> but I can't get it to work. Just adding a new NSEC3PARAM RR crashes
> Bind and doing a delete and then a add (to replace the present RR)
> gives me a servfail but I see t
2010/6/4 Paul Wouters :
> On Fri, 4 Jun 2010, Jan Buchholz wrote:
>
>> how i can disable dnssec in the bind resolver ? My firewall don´t let
>> packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but
>> this don´t fix the problem.
>
> I believe that only disables *serving* DNSSEC records
On Fri, 4 Jun 2010, Jan Buchholz wrote:
how i can disable dnssec in the bind resolver ? My firewall don´t let
packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but
this don´t fix the problem.
I believe that only disables *serving* DNSSEC records.
I think you want 'dnssec-validati
hello together,
how i can disable dnssec in the bind resolver ? My firewall don´t let
packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but
this don´t fix the problem.
Thanks,
Jan
___
bind-users mailing list
bind-users@lists.isc.org
https:/
On Fri, Jun 4, 2010 at 1:18 PM, Phil Mayers wrote:
> On 04/06/10 11:11, Tim Verhoeven wrote:
>>
>> I'm currently testing the automatic signing for DNSSEC present in Bind
>> 9.7. I'm currently using Bind 9.7.0 and I have 2 questions.
>>
>> The first one, can I configure multiple key directories? Th
On 04/06/10 11:11, Tim Verhoeven wrote:
Hi,
I'm currently testing the automatic signing for DNSSEC present in Bind
9.7. I'm currently using Bind 9.7.0 and I have 2 questions.
The first one, can I configure multiple key directories? The reasoning
for this is that I would like to seperate the KSK
Hi,
I'm currently testing the automatic signing for DNSSEC present in Bind
9.7. I'm currently using Bind 9.7.0 and I have 2 questions.
The first one, can I configure multiple key directories? The reasoning
for this is that I would like to seperate the KSK's from the ZSK's.
And this to be able to
Jack Tavares wrote:
> >>From the release notes:
> >
> > --- 9.6.2-P2 released ---
> >
> >
> > 2876. [bug] Named could return SERVFAIL for negative responses
> >
> > from unsigned zones. [RT #21131]
> >
> > Question:
> >
> > Does this bug only occur if dnssec is enabled?
> >
27 matches
Mail list logo
