On 6/4/2010 1:52 PM, R. Kevin Oberman wrote: > First, dns-validation is 'off' by default in all BIND versions. It's > dnssec-enable that started defaulting to 'yes'.
No, it isn't. The only reason that dnssec-validation appears "off" is that without trust anchors, it doesn't do anything. Insert a trust anchor and you validate, even without "dnssec-validation yes;" in your configuration. Really. > Second, your firewall is simply broken. You will continue to have > problems with DNS until you fix/replace it. I have not seen a recent > firewall broken in this manner for a while, but this was quite common > a couple of years ago. 100% agreed. > For the moment, turning off dnssec-enable is probably your best hope, > but it's not a fix and you are likeky to see continuing problems on a > smaller scale until the firewall is fixed. Yep. AlanC
signature.asc
Description: OpenPGP digital signature
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
