On 24. 09. 22 11:20, Bjørn Mork wrote:
Philip Prindeville <philipp_s...@redfish-solutions.com> writes:
How many ISP's squelch DNSSEC like that? I hope it's not a common practice!
More common than you'd like to think. See Geoff's excellent world map
at https://stats.labs.apnic.net/dnssec
Note that no validation implies no signatures for downstream resolvers.
Which makes the non-validating resolvers useless in a forwarder
statements, like you discovered. And useless in many other situations
as well. You can't do DANE for example.
Please allow me to correct this:
named.conf statement 'dnssec-enabled yes;' allows forwarding DNSSEC
signatures (and other metadata) without validating them.
named.conf statement 'dnssec-validation auto;' then enables DNSSEC
validation itself.
In other words, it is possible to allow DNSSEC to work for forwarders
without doing validation itself. If the ISP in question resists enabling
DNSSEC then at least 'dnssec-enabled yes; dnssec-validation no;'
configuration would improve situation for people who care.
--
Petr Špaček
Internet Systems Consortium
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
