Hi @all,
I know that BIND has no feature to disable DNSSEC validation for selected
Zones/Domains (when working as a recursor).
One can only enable/disable DNSSEC validation globally per view (as a boolean
on/off).
I found that Microsoft's DNS Server has a feature to skip the validation for
som
Hi Mukund
and thanks a lot for pointing that out!
It is already more than I was hoping for :)
Regards,
Stefan
> BIND will get support for negative trust anchors in 9.11, which will provide
> the feature that you seek. An implementation is now in the master branch.
>
> https://tools.ietf.org
Hm... In our case a short lifespan won't be enough.
Our customer uses a fictional Toplevel Domain and migrating the whole
Infrastructure to a new, proper Domain will take him months if not years.
They'll have to adjust every DNS Config of every Server, every Webservice they
have running interna
Hi Chris,
> While you wait for this to become generally available, you can do what I like
> to do for my customers: Use two layers of recursive DNS servers. The first
> layer takes queries from clients, knows about your insecure domains
> (through stub zones, slave zones, or conditional forwardi
>> Our customer uses a fictional Toplevel Domain[...]
>
> Can you flip the problem on its head, by signing the fictional TLD and
> deploying managed-keys (or trusted-keys) on the validating resolvers?
>
> Graham
Unfortunately we can't sign the fictional TLD, since we are neither master nor
slave
Hi Daniel,
> You may also try to disable all DNSSEC algorithms for a zone:
> https://lists.dns-oarc.net/pipermail/dns-operations/2014-October/012282.html
>
> Regards,
> Daniel
Also a nice idea for a workaround :) But it did not work for me.
This is what I tried:
Options {
>
>If the zone isn't signed, it shouldn't be trying to validate it as there's
>nothing to validate. Unless this fictional TLD now has a real delegated
>counter-part?
>
>Stuart
Just for clarification:
If a TLD does not exist, it can neither be signed nor unsigned.
And, officially, the mentioned
Hi Graham,
> Has anybody on-list got a clever(er?) trick? I suppose that 9.10 with
> in-view might make the problem go away.
Instead of notifying all views at once you could just create a "notification
chain", where a view only notifies one other view:
view_1 notifies view_2.
Are you using iptables Firewall?
Does the problem only occur on UDP connections to the problematic IP? Or also
on TCP connections to the same IP?
I had similar problems (not with bind) when the connection table of iptables
"state" module were too small.
Iptables started dropping packets, because
Hi,
the "named-compilezone" tool can output zone files in two different styles
(using the -s option):
"full" (suitable for processing by a separate script)
"relative" (more human-readable)
By default, the bind daemon uses the "relative" style (or something similar)
when writing dynamic
>> By default, the bind daemon uses the "relative" style (or something
>> similar) when writing dynamic zone files to disk.
>> Guess what... all those "$ORIGIN" lines make it more difficult to
>> parse the f ile by a separate script... ;)
> Truly, you don't wan't to be reading master files. If
11 matches
Mail list logo
