In message , Warren Kumari wri
tes:
> On Jun 8, 2010, at 6:26 AM, Jan Buchholz wrote:
>
> > Thanks @all, sorry i was out of office yesterday. I'll discuss the
> > issue this week on the german Linux Tag in Berlin.
> >
> > What your meaning off firewalls, who looks into packets and block them
> >
On Jun 8, 2010, at 6:26 AM, Jan Buchholz wrote:
Thanks @all, sorry i was out of office yesterday. I'll discuss the
issue this week on the german Linux Tag in Berlin.
What your meaning off firewalls, who looks into packets and block them
if the filter don´t know a flag.
Some "high security" f
Thanks @all, sorry i was out of office yesterday. I'll discuss the
issue this week on the german Linux Tag in Berlin.
What your meaning off firewalls, who looks into packets and block them
if the filter don´t know a flag.
First i´ve fixed the problem with edns no;
Jan
___
In message <201006060107.o5617ep4091...@drugs.dv.isc.org>, Mark Andrews writes:
>
> In message <4c0aad2a.4010...@dougbarton.us>, Doug Barton writes:
> > On 06/05/10 07:22, Mark Andrews wrote:
> > > In message<4c09c562.7030...@dougbarton.us>, Doug Barton writes:
> > >
> > > The resolver works. It
In message <4c0aad2a.4010...@dougbarton.us>, Doug Barton writes:
> On 06/05/10 07:22, Mark Andrews wrote:
> > In message<4c09c562.7030...@dougbarton.us>, Doug Barton writes:
> >
> > The resolver works. It figures out that it can't make the new style
> > queries and falls back to the old style que
On 06/05/10 07:22, Mark Andrews wrote:
In message<4c09c562.7030...@dougbarton.us>, Doug Barton writes:
The resolver works. It figures out that it can't make the new style
queries and falls back to the old style queries. If the user is really
worried they can turn off EDNS and with that DO.
T
On 06/04/10 21:58, Paul Vixie wrote:
Doug Barton writes:
With my business hat on though I can see at least 2 possible use cases for
DO=0. The first being related to this thread, "I can't/won't fix/remove the
firewall today, I just want my resolver to work."
it works. it's just slower because
On Fri, Jun 4, 2010 at 11:32 PM, Doug Barton wrote:
>
>
> With my business hat on though I can see at least 2 possible use cases for
> DO=0. The first being related to this thread, "I can't/won't fix/remove the
> firewall today, I just want my resolver to work." The hapless user in that
> spot is
In message <4c09c562.7030...@dougbarton.us>, Doug Barton writes:
>
> Ok, so my guess as to ISC's motivations was pretty much on the mark, and
> speaking with my "Guy who loves the Internet and wants to see things
> work better for everybody" hat on, I am totally in agreement. That's why
> I sa
> The DO bit is always set whenever the server includes an EDNS OPT RR
> (I thought it was based on the specification, but don't remember which
> sentence of which RFC says so).
I was taken aback to read this, because I remembered seeing code in named
that clears the DO bit if "dnssec-enable" is "
Doug Barton writes:
> On 06/04/10 19:40, Paul Vixie wrote:
>> ...
>>
>> unless a new IETF RFC comes along and disambiguates the meaning of "DO"
>> such that it's only to be set if the requestor thinks it has a
>> reasonable shot at validating the resulting metadata, i expect BIND to
>> keep sett
On 06/04/10 19:40, Paul Vixie wrote:
Doug Barton writes:
I have a guess at why ISC would want to enable it by default, and even in
the presence of an option to turn it off I'm still Ok with that default.
But if it's not a standards requirement to have it on, giving the admin a
choice would be
Doug Barton writes:
> I have a guess at why ISC would want to enable it by default, and even in
> the presence of an option to turn it off I'm still Ok with that default.
> But if it's not a standards requirement to have it on, giving the admin a
> choice would be a welcome thing.
this was, as y
On 06/04/10 11:19, JINMEI Tatuya / 神明達哉 wrote:
The DO bit is always set whenever the server includes an EDNS OPT RR
(I thought it was based on the specification, but don't remember which
sentence of which RFC says so).
Given that concern about whether or not it's a good idea to always send
DO=
> First, dns-validation is 'off' by default in all BIND versions. It's
> dnssec-enable that started defaulting to 'yes'.
Correct in the sense that there are no configured trust anchors, so
validation doesn't happen.
Incorrect in the sense that the "dnssec-validation" option *is* turned on
by defa
At Fri, 4 Jun 2010 16:50:26 +0200,
Jan Buchholz <96de...@googlemail.com> wrote:
> >> how i can disable dnssec in the bind resolver ? My firewall don´t let
> >> packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but
> >> this don´t fix the problem.
> >
> > I believe that only disables *
On 6/4/2010 1:52 PM, R. Kevin Oberman wrote:
> First, dns-validation is 'off' by default in all BIND versions. It's
> dnssec-enable that started defaulting to 'yes'.
No, it isn't. The only reason that dnssec-validation appears "off" is
that without trust anchors, it doesn't do anything. Insert
Date: Friday, Jun 4, 2010 9:20 am
Subject: Re: disable dnssec in bind resolver
To: Evan Hunt
CC: bind-users@lists.isc.org
On Fri, 4 Jun 2010, Evan Hunt wrote:
> I'm pretty sure "dnssec-enable no" does suppress the DO bit. If it
doesn't, that's probably a bug.
Yeah,
> >If it doesn't, though, try "edns no". You can't have a DO bit if you
> >don't have a place to put one.
>
> This seems a bit like "my left leg hurts, so i stabbed my right leg".
Exactly. Now you aren't lopsided.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
On Fri, 4 Jun 2010, Evan Hunt wrote:
I'm pretty sure "dnssec-enable no" does suppress the DO bit. If it
doesn't, that's probably a bug.
Yeah, I thought the default changed when all those NAT routers proved buggy.
If it doesn't, though, try "edns no". You can't have a DO bit if you
don't ha
On Fri, Jun 04, 2010 at 05:36:21PM +0200, Jan Buchholz wrote:
> i mean the parameter is the default.
Actually, since 9.5.0, the default has been "dnssec-validation yes".
(Note, however, that DNSSEC validation doesn't occur unless the resolver
has a trust anchor configured. So you there has to be
tner, Jeff
Cc: bind-users@lists.isc.org
Subject: Re: disable dnssec in bind resolver
i mean the parameter is the default.
my problem is, if a client want to resolve a ip-address from my
bind-server, the resolver set for some domains the D0 flag for the
question. And this behaviour don´t like m
e way you expect or you wouldn't have asked.
>
> -Original Message-
> From: bind-users-bounces+jlightner=water@lists.isc.org
> [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of
> Jan Buchholz
> Sent: Friday, June 04, 2010 10:50 AM
> To: Paul Wo
sers@lists.isc.org
Subject: Re: disable dnssec in bind resolver
2010/6/4 Paul Wouters :
> On Fri, 4 Jun 2010, Jan Buchholz wrote:
>
>> how i can disable dnssec in the bind resolver ? My firewall don´t let
>> packets with D0 flag through. I´ve tried 'dnssec-enable no;' ,
2010/6/4 Paul Wouters :
> On Fri, 4 Jun 2010, Jan Buchholz wrote:
>
>> how i can disable dnssec in the bind resolver ? My firewall don´t let
>> packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but
>> this don´t fix the problem.
>
> I believe that only disables *serving* DNSSEC records
On Fri, 4 Jun 2010, Jan Buchholz wrote:
how i can disable dnssec in the bind resolver ? My firewall don´t let
packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but
this don´t fix the problem.
I believe that only disables *serving* DNSSEC records.
I think you want 'dnssec-validati
26 matches
Mail list logo
