-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello.
I found out that when bind is configured as recursive resolver with
dnssec-lookaside set to 'auto' and dlv.isc.org is unreachable, all
lookups for unsigned (UNSECURE) names fail even if the validation
succeeds (IOW the validation of NSEC3
Why would you expect them to succeed? If you use DLV you are
expecting anything for which DLV is used as a trust anchor to be
safe from being spoofed. The *only* way this can happen is to fail
if the DLV lookup fails for any reason.
Mark
In message 53fc7b35.6040...@redhat.com, Tomas Hozza
So you care enough about security to implement DNSSEC, but you run your
forwarder on port 80. Interesting...
- Kevin
On 8/26/2014 8:19 AM, Tomas Hozza wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello.
I found out that
On Tue 26 Aug 2014 02:32:24 PM CEST, Kevin Darcy wrote:
So you care enough about security to implement DNSSEC, but you run your
forwarder on port 80. Interesting...
- Kevin
It is completely artificial setup for testing purpose only.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/26/2014 02:27 PM, Mark Andrews wrote:
Why would you expect them to succeed?
Because validation using root servers and authoritative servers proved
that the domain is intentionally unsecure.
If you use DLV you are
expecting anything for
In message 53fc827e.7090...@redhat.com, Tomas Hozza writes:
On 08/26/2014 02:27 PM, Mark Andrews wrote:
Why would you expect them to succeed?
Because validation using root servers and authoritative servers proved
that the domain is intentionally unsecure.
No. It only proves that there
On Tue 26 Aug 2014 03:07:22 PM CEST, Mark Andrews wrote:
In message 53fc827e.7090...@redhat.com, Tomas Hozza writes:
On 08/26/2014 02:27 PM, Mark Andrews wrote:
Why would you expect them to succeed?
Because validation using root servers and authoritative servers proved
that the domain is
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 8/26/14 5:50 AM, Tomas Hozza wrote:
| On 08/26/2014 02:27 PM, Mark Andrews wrote:
| Why would you expect them to succeed?
|
| Because validation using root servers and authoritative servers
| proved that the domain is intentionally unsecure.
8 matches
Mail list logo