> DNSSEC and ISAKMP are not related.
Well, that's no longer entirely true... AIUI Microsoft seem to have
decided that in their DNSSEC implementation they will use IPsec (and
hence IKE with GSS-API) to secure communications from the client to
the validating resolver (rather than using GSS-TSIG, wh
> Actually there *is* DNSSEC involved or the query would not have
> failed.
Yes, sorry. I meant to imply that there is no DNSSEC involved beyond
the verification of the covering NSEC that proves the lack of a DLV
record.
> There is a bug in the BIND 9.7.0-P1 fixes that triggers this. The
> fix
> > dig www.bbc.net.uk +cd
>
> How does the last query "work"?
What I meant by that, in case it wasn't clear, was that setting the CD
flag in the query caused it query to succeed, hence strongly
suggesting that the cause of the failure in the original query was
related to DNSSEC
> Well, FWIW I upgraded to 9.7.0-P1 and tried enabling DLV again and
> I've seen no repeat of the DNSSEC name resolution issues so far; it's
> early days yet (only been running DLV for three days) but certainly
> looking promissing.
I spoke too soon. I've now found a query that (at least this eve
On Sun, Mar 28, 2010 at 11:48:37PM +0100, I wrote:
> A couple of weeks ago I upgraded my BINDs to 9.7.0 and enabled DLV.
>
> This is my first time attemting to validate DNSSEC; however, I've been
> seeing intermittent failures to resolve domains under .org which have
> been frequent enough to forc
> I have seen this happen when bind for some reason (eg mtu issues with
> vpn) cannot query for the DLV key at dlv.isc.org. I have not figured
> out the exact failure mode there. Check the logs to see errors for DNSKEY
> queries for dlv.isc.org to see if this is happening here too. However in
> tha
> > Yes, I agree freebsd.org is insecure, but I still want to be able to
> > resolve it :-)
>
> The point was, you should not be getting DNSSEC-related errors from
> a domain that is not secured.
I disagree. In order for a validating resolver to resolve freebsd.org
(or any other insecure domain
> It looks to me like your example, freebsd.org, is insecure.
Yes, I agree freebsd.org is insecure, but I still want to be able to
resolve it :-)
.org is signed with NSEC3 and (I think, but could be misremembering)
is using opt-out. org is registered in DLV, so BIND still has to do
some work
A couple of weeks ago I upgraded my BINDs to 9.7.0 and enabled DLV.
This is my first time attemting to validate DNSSEC; however, I've been
seeing intermittent failures to resolve domains under .org which have
been frequent enough to force me to disable DLV again (hence
effectively disabling DNSSEC
> All keys were available to BIND, and the zone was successfully
> resigned just by running dnssec-signzone over the zone with no
> arguments (except for the zone file name).
Hmm, sorry to have posted prematurely - it looks like all keys were
*not* available to BIND due to file ownership issues, b
I have a zone which is DNSSEC signed and is configured as a dynamic
zone (although in practice dynamic updates are not normally used on
this zone). AIUI BIND 9.7.0 should automatically resign the zone as
required as long as the keys are available to it.
However, what I actuallly found is that alt
11 matches
Mail list logo
