-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
I'm running a recursive bind (root hint, several master zones for opennic
tlds) and would like to extend it by resolving .onion addresses through my
tor node.
Naively, I tried to add this to my config file:
zone "onion" IN {
type forward;
forward only;
forwarders {
192.168.0.3 port 9053;
192.168.1.3 port 9053;
};
};
However, I encounter the issue here:
https://lists.isc.org/mailman/htdig/bind-users/2011-November/085536.html
I confirmed that by putting the domain (like suggested in the answers)
below a self-controlled domain without DNSSEC (e.g. "onion.eckner.net"),
which made things work.
However, this feels really clumsy for .onion addresses: you have to edit
the url in the address bar and - even worse - you leak the used domain to
the hidden service (in case of http(s), at least) ...
Configuring .onion as master/slave is also not an option, because tor does
not offer zone transfers (for privacy reasons, probably) and because the
ip addresses are auto-generated on request.
Is there any possibility to get this running without stripping DNSSEC from
the clients (e.g. without setting up another nameserver infront which does
not do DNSSEC)? Can I somehow (locally) resign the root zone with my own
keys but still check the signature on all but .onion tlds?
Any other ideas?
regards,
Erich
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl3JekoACgkQCu7JB1Xa
e1pSsA//dJKqnjvzCZRzL3kFtkYabd8g8OYTB7aZdjzuGRxIR9Wn40RxbkavaN1I
Xtm9MI3D352ZW9ibxW/djJrhXZht0qxCKQqewpi9ucSzbjHcDMCljccLOD5EOA1C
o3t5Lk4KGQeHWAhulD9WrDzEa3ZjvCcStZc3h5An/PaXUHxLEd227bK6qm0ooS9L
IgnGhvbGeo7kiaMoI6r/wPCVDhiBwcn434+s1oE7NG5PedQwNAR4QESOD/PFe388
v5YhGVW8PtySObQrcq0fGIDXGGyXbzAZ2+F0nBzB+HJ7azPi69mA5XA0PX7gBrj+
+79N/A1KaJ05p8gdsM5N/ySes4ClY8fTxNSRwqJocCO32dNXAkXxqGVZrowvHCqu
xZHqXWmRIG4WOTvYiTfPtNkdJfqAN/i/w8r9kV6OG7KqOXMvRsZa2XAn7vReyUVB
BylpUfp0FxRlcKt514rziI5q5MrL23jOIdRNX3pUwsscbRPx8Ak4HmbyDcmz5X/r
/L/s5dodD6qa4tPnXGI+TPOvXU2D9uKaaN+0XncvZtebqwZt00WZKXtwGq0LkjRB
luXI4LX3YuqJD58BWpOZlIiBmAETkOljAStJiV5HuIxuLAlJ6yGGr1PsEffl+wLY
GHsol1K0NbO5m88PruGqvPDXq9AYrpaGrDyQnvsqUeEJYpyasJU=
=pTLQ
-----END PGP SIGNATURE-----
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
