Le 12 mai 2015 à 18:58, Hugo Osvaldo Barrera a écrit : > On 2015-05-12 08:43, Gilles Chehade wrote: >> On Mon, May 11, 2015 at 10:37:20PM +0200, Johannes L??thberg wrote: >>> On 11/05, Denis Fondras wrote: >>>>> >>>>> 2- DNSSEC is still painful to setup, no one does it unfortunately :-/ >>>>> >>>> >>>> More precisely, it is easy to setup and painful to manage :D >>>> >>> >>> Well, BIND???s automatic signing gives you nothing to manage really. >>> >> >> Well, it's is not too tricky but it requires being extra rigorous. >> >> For instance, a few days ago I realized that my ns2 was desynched from >> my ns1, for some reason it was serving an older version of the zone. >> >> How did I realize ? >> >> Well, when people complained that they could no longer send me mail, and >> they could no longer reach my website. >> >> Two months ago, it was because my keys had expired and when I regen-ed a >> new set, I forgot to publish zsk/ksk at my registrar. >> >> >> Sure in both case the error was on my side but switching to DNSSEC means >> you no longer fail gracefully when there's a problem. So many people are >> now using the Google DNS (sigh..) and any problem with your DNSSEC leads >> their DNS to reply NXDOMAIN on your domain. >> > > Slightly OT, but other than setting up my own DNS caching resolver, what are > the > alternatives to these sort of public services? In particular, is there one > that > won't do this when DNSSEC fails?
This behavior is not desirable (by the way it is SERVFAIL, not NXDOMAIN). Making the resolution to fail when the DNSSEC validation fails is the very feature of DNSSEC and is the standard way of doing that (see RFC 4035). In case you want to handle the validation by yourself, you still can use the Check Disabled flag to ensure the query won't fail by DNSSEC validation failure. Best regards Emmanuel Thierry -- You received this mail because you are subscribed to [email protected] To unsubscribe, send a mail to: [email protected]
