Re: Sparklight and DNSSEC

2022-09-26 Thread Bjørn Mork
Petr Špaček writes: > named.conf statement 'dnssec-enabled yes;' allows forwarding DNSSEC > signatures (and other metadata) without validating them. > > named.conf statement 'dnssec-validation auto;' then enables DNSSEC > validation itself. > > In other words, it is possible to allow DNSSEC to wo

Re: Sparklight and DNSSEC

2022-09-26 Thread sthaug
> Please allow me to correct this: > > named.conf statement 'dnssec-enabled yes;' allows forwarding DNSSEC > signatures (and other metadata) without validating them. Slight problem here: My 9.18.5 named doesn't know about dnssec-enabled: Sep 26 09:00:51 xxx named[38797]: /usr/local/etc/namedb/na

Re: Sparklight and DNSSEC

2022-09-26 Thread Petr Špaček
On 26. 09. 22 9:15, sth...@nethelp.no wrote: Please allow me to correct this: named.conf statement 'dnssec-enabled yes;' allows forwarding DNSSEC signatures (and other metadata) without validating them. Slight problem here: My 9.18.5 named doesn't know about dnssec-enabled: Sep 26 09:00:51 xx

Re: Sparklight and DNSSEC

2022-09-26 Thread Benny Pedersen
Bjørn Mork skrev den 2022-09-26 08:50: Petr Špaček writes: named.conf statement 'dnssec-enabled yes;' allows forwarding DNSSEC signatures (and other metadata) without validating them. named.conf statement 'dnssec-validation auto;' then enables DNSSEC validation itself. In other words, it is

Re: Sparklight and DNSSEC

2022-09-26 Thread Philip Prindeville
> On Sep 24, 2022, at 3:20 AM, Bjørn Mork wrote: > > Philip Prindeville writes: > >> How many ISP's squelch DNSSEC like that? I hope it's not a common practice! > > More common than you'd like to think. See Geoff's excellent world map > at https://stats.labs.apnic.net/dnssec > > Note that

Re: Mailing list questions (DMARC, ARC, more?)

2022-09-26 Thread Alessandro Vesely
On Sat 24/Sep/2022 00:23:03 +0200 Matus UHLAR - fantomas wrote: another test done Thanks for reporting. This is slightly OT, as it concerns the list functioning rather than DNS. I hope it doesn't afflict... I see the list operates both From: munging and ARC sealing. While I'm clear about

Re: Sparklight and DNSSEC

2022-09-26 Thread Nick Tait via bind-users
On 27/09/2022 3:58 am, Benny Pedersen wrote: imho dnssec-validation auto;  have a bug as it validates domains without DS set hope bind developpers can confirm or deny it Hi Benny. Until DS records are published in the parent zone, the (signed) zone is considered 'insecure', and validation

Re: Sparklight and DNSSEC

2022-09-26 Thread Benny Pedersen
Nick Tait via bind-users skrev den 2022-09-26 23:50: On 27/09/2022 3:58 am, Benny Pedersen wrote: imho dnssec-validation auto;  have a bug as it validates domains without DS set hope bind developpers can confirm or deny it Hi Benny. Until DS records are published in the parent zone, the (si

Re: Sparklight and DNSSEC

2022-09-26 Thread Mark Andrews
> On 27 Sep 2022, at 00:58, Benny Pedersen wrote: > > Bjørn Mork skrev den 2022-09-26 08:50: >> Petr Špaček writes: >>> named.conf statement 'dnssec-enabled yes;' allows forwarding DNSSEC >>> signatures (and other metadata) without validating them. >>> named.conf statement 'dnssec-validation a