Re: Force Bind caching resolver to always obey DNSSSEC

2010-10-02 Thread Phil Mayers
On 10/02/2010 10:01 AM, lst_ho...@kwsoft.de wrote: So the problem are not resolvers unaware of DNSSEC but resolvers with inappropriate defaults or configured wrong by accident. Additionally this problem is not easy detectable as it can occur far downstream. So i would say it is a valid concern f

Re: Force Bind caching resolver to always obey DNSSSEC

2010-10-02 Thread lst_hoe02
Zitat von Barry Margolin : In article , lst_ho...@kwsoft.de wrote: Zitat von Alan Clegg : > On 10/1/2010 4:50 PM, lst_ho...@kwsoft.de wrote: > >> Sorry for being unclear. We want the SERVFAIL as it should be for >> invalid DNSSEC data *in all cases* eg. even if a client ask with the >> cdfla

Re: Force Bind caching resolver to always obey DNSSSEC

2010-10-01 Thread Barry Margolin
In article , lst_ho...@kwsoft.de wrote: > Zitat von Alan Clegg : > > > On 10/1/2010 4:50 PM, lst_ho...@kwsoft.de wrote: > > > >> Sorry for being unclear. We want the SERVFAIL as it should be for > >> invalid DNSSEC data *in all cases* eg. even if a client ask with the > >> cdflag (checking disab

Re: Force Bind caching resolver to always obey DNSSSEC

2010-10-01 Thread lst_hoe02
Zitat von Alan Clegg : On 10/1/2010 4:50 PM, lst_ho...@kwsoft.de wrote: Sorry for being unclear. We want the SERVFAIL as it should be for invalid DNSSEC data *in all cases* eg. even if a client ask with the cdflag (checking disable) set. CD means "don't check", so you can't by definition. A

Re: Force Bind caching resolver to always obey DNSSSEC

2010-10-01 Thread Alan Clegg
On 10/1/2010 4:50 PM, lst_ho...@kwsoft.de wrote: > Sorry for being unclear. We want the SERVFAIL as it should be for > invalid DNSSEC data *in all cases* eg. even if a client ask with the > cdflag (checking disable) set. CD means "don't check", so you can't by definition. AlanC signature.asc

Re: Force Bind caching resolver to always obey DNSSSEC

2010-10-01 Thread lst_hoe02
Zitat von Alan Clegg : On 10/1/2010 4:26 PM, lst_ho...@kwsoft.de wrote: Hello after the root zones are now DNSSEC signed we like to use DNSSEC at our caching resolvers. I have setup Bind 9.7.0-P1-1 at the border and basically it is working fine. What i have not managed is to alwawys force obey

Re: Force Bind caching resolver to always obey DNSSSEC

2010-10-01 Thread Alan Clegg
On 10/1/2010 4:26 PM, lst_ho...@kwsoft.de wrote: > Hello > > after the root zones are now DNSSEC signed we like to use DNSSEC at our > caching resolvers. I have setup Bind 9.7.0-P1-1 at the border and > basically it is working fine. What i have not managed is to alwawys > force obeying DNSSEC sign

Force Bind caching resolver to always obey DNSSSEC

2010-10-01 Thread lst_hoe02
Hello after the root zones are now DNSSEC signed we like to use DNSSEC at our caching resolvers. I have setup Bind 9.7.0-P1-1 at the border and basically it is working fine. What i have not managed is to alwawys force obeying DNSSEC signed zones for resolving eg. if i use "dig +cdflag www