On Tue, 10 Jul 2012, Mark Andrews wrote:
BIND bug, the "NOQNAME" NSEC/NSEC3 proof extraction is a side effect
of validation.
Do you have a tracking/reference number for me?
That said if you are talking through a recursive server that server
should be validating as there are situations that are not recoverable
without it.
So are you saying that even if the bug is fixed, bind does not support:
options {
dnssec-enable yes;
dnssec-validation no;
[...]
}
If so, should those options not be merged into one option? Or should
named-checkconf return a failure for such a configuration?
Does anyone know how prevalent these configurations are?
I'm CC:ing the dnssec-trigger list, as it might need to come up with a
new probe to detect this.
Paul
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
