Hi @all,
I know that BIND has no feature to disable DNSSEC validation for selected
Zones/Domains (when working as a recursor).
One can only enable/disable DNSSEC validation globally per view (as a boolean
on/off).
I found that Microsoft's DNS Server has a feature to skip the validation for
som
stefan.las...@t-systems.com wrote:
>
> I know that BIND has no feature to disable DNSSEC validation for
> selected Zones/Domains (when working as a recursor).
BIND 9.11 will have negative trust anchors.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Fair Isle: Southwest 6 to gale 8, occasionall
Hi Stefen
On Tue, Jan 13, 2015 at 11:35:26AM +0100, stefan.las...@t-systems.com wrote:
> Some of the internal Domains of our customers will fail the
> proof-of-non-existence. While this is technically correct, we still
> need access to their internal Domain to do our business... So the
> current
Just to save anyone else the trouble, I've just found that some of the
GSLB names for *.adobe.com return NXDOMAIN with "nsid" options present:
# dig +norec +dnssec +nsid @193.104.215.247 ardownload.wip4.adobe.com
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 50062
...versu
On 13/01/15 12:27, Phil Mayers wrote:
Just to save anyone else the trouble, I've just found that some of the
GSLB names for *.adobe.com return NXDOMAIN with "nsid" options present:
...and in fact "sit", which is the actual problem option we're hitting
(our 9.10 package seems to have been unint
On 13/01/15 13:27, Phil Mayers wrote:
> Just to save anyone else the trouble, I've just found that some of the
> GSLB names for *.adobe.com return NXDOMAIN with "nsid" options present:
It's not just NSID. They're responding with NXDOMAIN if you send any
EDNS option they don't understand, so it's
On 13/01/15 12:37, Anand Buddhdev wrote:
On 13/01/15 13:27, Phil Mayers wrote:
Just to save anyone else the trouble, I've just found that some of the
GSLB names for *.adobe.com return NXDOMAIN with "nsid" options present:
It's not just NSID. They're responding with NXDOMAIN if you send any
ED
On 13/01/15 12:39, Phil Mayers wrote:
On 13/01/15 12:37, Anand Buddhdev wrote:
On 13/01/15 13:27, Phil Mayers wrote:
Just to save anyone else the trouble, I've just found that some of the
GSLB names for *.adobe.com return NXDOMAIN with "nsid" options present:
It's not just NSID. They're resp
Hi Mukund
and thanks a lot for pointing that out!
It is already more than I was hoping for :)
Regards,
Stefan
> BIND will get support for negative trust anchors in 9.11, which will provide
> the feature that you seek. An implementation is now in the master branch.
>
> https://tools.ietf.org
Hello Stefan
You may also try to disable all DNSSEC algorithms for a zone:
https://lists.dns-oarc.net/pipermail/dns-operations/2014-October/012282.html
Regards,
Daniel
On 13.01.15 14:53, stefan.las...@t-systems.com wrote:
> Hi Mukund
>
> and thanks a lot for pointing that out!
> It is already
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, 2015-01-13 at 12:49 +, Phil Mayers wrote:
> Just found another; dns{0,1}.getsurfed.com are returning crazy error
> codes with "nsid" (and presumably other) edns options:
> # dig +norec +nsid @213.162.97.177 www.london-nano.com
> ;; Got a
We tried.
Its "we don't get enough complaints" so we won't actually ask our
nameserver vendor how to fix this despite us telling them that they
just need to add a CNAME record to the backend zone.
The load balancer has a front end that answers A and queries.
CNAME/TXT/SOA and "unsual" A and
On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote:
> I know that BIND has no feature to disable DNSSEC validation for selected
> Zones/Domains (when working as a recursor).
> One can only enable/disable DNSSEC validation globally per view (as a boolean
> on/off).
[...]
> I'm just
13 matches
Mail list logo
