On 07.02.18 12:26, Tony Finch wrote:
Aha! I think what's happening here is that BIND is expecting a NODATA
response, to indicate that there is a delegation without a DS record.
(For an example, `dig +dnssec +multiline europa.eu ds)
However the validator gets an NXDOMAIN response claiming the domain
doesn't exist at all. But this is an opt-out NXDOMAIN so it is not a
proof. Nevertheless the validator believes it, and is convinced that it
has not proved the NODATA that it was expecting to prove, so it tells
itself it has not found an insecure delegation.
I wonder why does it do that.
I have configured a zone to be type forward and expected it to work as
confdigured, not be validated upstream.
(type forward - the fun continues, we don't have access to the origin
nameservers, however tried static-stub with the same result)
This is a tricky case. You can argue convincingly either way whether it is
a bug or not, I think. Even if it is a bug, fixing it is not going to
solve your problem any time soon - you need a pragmatic operational
solution.
I can only guess that this is a part of dnssec functionality - validate
everything even for domains configured locally.
Do people with private versions of domains have this problem too when
using DNSSEC?
I have feeling that we need to reserve TLD for internal private domains
that would be guaranteed not to use DNSSEC at all.
(I have thought of reserving private TLD already before, anyonw wants to
write a RFC?)
What you should do is add some nameservers to the registration (serving an
empty zone or something), so that the .eu nameservers return a NODATA
response instead of an NXDOMAIN response. Then your private zone will
work.
that would apparently take ages, neither we nor our customer have contact to
the registrator.
I currently see the only option to disable dnssec on the server, or upgrade
to 9.11 ...
but I'll upgrade the server to debian 8 (bind9.9.5) first.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
