Re: proper setup of dnssec-validation to _always_ resolve, and retrieve DATA and status flags ?

Mon, 09 May 2011 22:53:12 -0700 

In message <1304999903.6599.1450152...@webmail.messagingengine.com>, "" writes:
> Among numerous examples of folks running Bind9 in split-view mode
> similar to my config, I found this unanswered DNSSEC-related post,
> 
>  "DNSSEC Validating Resolver and Views"
>   https://lists.isc.org/pipermail/bind-users/2010-March/079166.html
> 
> which seems, at least, similar to the issue I'm seeing,
> 
> " ... This setup has been working for years but is now broken for
> clients
>  querying from a guest network (via the guest view) unless the queries
>  have checking disabled. ..."
> 
> Checking with my server for apparently unsigned 'www.adobe.com',
> 
> dig www.adobe.com
> 
>       ; <<>> DiG 9.8.0-P1 <<>> www.adobe.com
>       ;; global options: +cmd
>       ;; Got answer:
>       ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12026
>       ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
>       ADDITIONAL: 0
> 
>       ;; QUESTION SECTION:
>       ;www.adobe.com.                 IN      A
> 
>       ;; Query time: 24 msec
>       ;; SERVER: 10.10.10.100#53(10.10.10.100)
>       ;; WHEN: Mon May  9 13:53:29 2011
>       ;; MSG SIZE  rcvd: 31
> 
> dig www.adobe.com +cd
> 
>       ; <<>> DiG 9.8.0-P1 <<>> www.adobe.com +cd
>       ;; global options: +cmd
>       ;; Got answer:
>       ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50312
>       ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 2,
>       ADDITIONAL: 0
> 
>       ;; QUESTION SECTION:
>       ;www.adobe.com.                 IN      A
> 
>       ;; ANSWER SECTION:
>       www.adobe.com.          3592    IN      CNAME  
>       www.wip4.adobe.com.
>       www.wip4.adobe.com.     30      IN      A       192.150.16.60
> 
>       ;; AUTHORITY SECTION:
>       wip4.adobe.com.         3337    IN      NS     
>       da1gtm001.adobe.com.
>       wip4.adobe.com.         3337    IN      NS     
>       3dns-5.adobe.com.
> 
>       ;; Query time: 52 msec
>       ;; SERVER: 10.10.10.100#53(10.10.10.100)
>       ;; WHEN: Mon May  9 13:53:37 2011
>       ;; MSG SIZE  rcvd: 115
> 
> shows, as in the referenced post, that checking an dnssec-unsigned
> domain @ resolver with dnssec-validation enabled returns DATA only if
> that validation is DISABLED.

What does "dig DS adobe.com" return?
 
> DCh
> _______________________________________________
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: ma...@isc.org
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to