On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote:
> I know that BIND has no feature to disable DNSSEC validation for selected
> Zones/Domains (when working as a recursor).
> One can only enable/disable DNSSEC validation globally per view (as a boolean
> on/off).
[...]
> I'm just
We tried.
Its "we don't get enough complaints" so we won't actually ask our
nameserver vendor how to fix this despite us telling them that they
just need to add a CNAME record to the backend zone.
The load balancer has a front end that answers A and queries.
CNAME/TXT/SOA and "unsual" A and
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, 2015-01-13 at 12:49 +, Phil Mayers wrote:
> Just found another; dns{0,1}.getsurfed.com are returning crazy error
> codes with "nsid" (and presumably other) edns options:
> # dig +norec +nsid @213.162.97.177 www.london-nano.com
> ;; Got a
Hello Stefan
You may also try to disable all DNSSEC algorithms for a zone:
https://lists.dns-oarc.net/pipermail/dns-operations/2014-October/012282.html
Regards,
Daniel
On 13.01.15 14:53, stefan.las...@t-systems.com wrote:
> Hi Mukund
>
> and thanks a lot for pointing that out!
> It is already
Hi Mukund
and thanks a lot for pointing that out!
It is already more than I was hoping for :)
Regards,
Stefan
> BIND will get support for negative trust anchors in 9.11, which will provide
> the feature that you seek. An implementation is now in the master branch.
>
> https://tools.ietf.org
On 13/01/15 12:39, Phil Mayers wrote:
On 13/01/15 12:37, Anand Buddhdev wrote:
On 13/01/15 13:27, Phil Mayers wrote:
Just to save anyone else the trouble, I've just found that some of the
GSLB names for *.adobe.com return NXDOMAIN with "nsid" options present:
It's not just NSID. They're resp
On 13/01/15 12:37, Anand Buddhdev wrote:
On 13/01/15 13:27, Phil Mayers wrote:
Just to save anyone else the trouble, I've just found that some of the
GSLB names for *.adobe.com return NXDOMAIN with "nsid" options present:
It's not just NSID. They're responding with NXDOMAIN if you send any
ED
On 13/01/15 13:27, Phil Mayers wrote:
> Just to save anyone else the trouble, I've just found that some of the
> GSLB names for *.adobe.com return NXDOMAIN with "nsid" options present:
It's not just NSID. They're responding with NXDOMAIN if you send any
EDNS option they don't understand, so it's
On 13/01/15 12:27, Phil Mayers wrote:
Just to save anyone else the trouble, I've just found that some of the
GSLB names for *.adobe.com return NXDOMAIN with "nsid" options present:
...and in fact "sit", which is the actual problem option we're hitting
(our 9.10 package seems to have been unint
Just to save anyone else the trouble, I've just found that some of the
GSLB names for *.adobe.com return NXDOMAIN with "nsid" options present:
# dig +norec +dnssec +nsid @193.104.215.247 ardownload.wip4.adobe.com
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 50062
...versu
Hi Stefen
On Tue, Jan 13, 2015 at 11:35:26AM +0100, stefan.las...@t-systems.com wrote:
> Some of the internal Domains of our customers will fail the
> proof-of-non-existence. While this is technically correct, we still
> need access to their internal Domain to do our business... So the
> current
stefan.las...@t-systems.com wrote:
>
> I know that BIND has no feature to disable DNSSEC validation for
> selected Zones/Domains (when working as a recursor).
BIND 9.11 will have negative trust anchors.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Fair Isle: Southwest 6 to gale 8, occasionall
Hi @all,
I know that BIND has no feature to disable DNSSEC validation for selected
Zones/Domains (when working as a recursor).
One can only enable/disable DNSSEC validation globally per view (as a boolean
on/off).
I found that Microsoft's DNS Server has a feature to skip the validation for
som
13 matches
Mail list logo
