Re: Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

On 26-Aug-14 12:52, Doug Barton wrote: > On 8/26/14 5:50 AM, Tomas Hozza wrote: > | On 08/26/2014 02:27 PM, Mark Andrews wrote: > |>> Why would you expect them to succeed? > | > | Because validation using root servers and authoritative servers > | proved that the domain is intentionally unsecure.

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 8/26/14 5:50 AM, Tomas Hozza wrote: | On 08/26/2014 02:27 PM, Mark Andrews wrote: |>> Why would you expect them to succeed? | | Because validation using root servers and authoritative servers | proved that the domain is intentionally unsecure. T

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

On Tue 26 Aug 2014 03:07:22 PM CEST, Mark Andrews wrote: > In message <53fc827e.7090...@redhat.com>, Tomas Hozza writes: >> >> On 08/26/2014 02:27 PM, Mark Andrews wrote: >>> Why would you expect them to succeed? >> >> Because validation using root servers and authoritative servers proved >> that t

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

In message <53fc827e.7090...@redhat.com>, Tomas Hozza writes: > > On 08/26/2014 02:27 PM, Mark Andrews wrote: > > Why would you expect them to succeed? > > Because validation using root servers and authoritative servers proved > that the domain is intentionally unsecure. No. It only proves th

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/26/2014 02:27 PM, Mark Andrews wrote: > Why would you expect them to succeed? Because validation using root servers and authoritative servers proved that the domain is intentionally unsecure. > If you use DLV you are > expecting anything for w

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

On Tue 26 Aug 2014 02:32:24 PM CEST, Kevin Darcy wrote: > So you care enough about security to implement DNSSEC, but you run your > forwarder on port 80. Interesting... > > - Kevin It is completely artificial setup for testing purpose onl

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

So you care enough about security to implement DNSSEC, but you run your forwarder on port 80. Interesting... - Kevin On 8/26/2014 8:19 AM, Tomas Hozza wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello. I found out that when

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

Why would you expect them to succeed? If you use DLV you are expecting anything for which DLV is used as a trust anchor to be safe from being spoofed. The *only* way this can happen is to fail if the DLV lookup fails for any reason. Mark In message <53fc7b35.6040...@redhat.com>, Tomas Hozza wr

recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello. I found out that when bind is configured as recursive resolver with dnssec-lookaside set to 'auto' and dlv.isc.org is unreachable, all lookups for unsigned (UNSECURE) names fail even if the validation succeeds (IOW the validation of NSEC3 answe