recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello. I found out that when bind is configured as recursive resolver with dnssec-lookaside set to 'auto' and dlv.isc.org is unreachable, all lookups for unsigned (UNSECURE) names fail even if the validation succeeds (IOW the validation of NSEC3

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

Why would you expect them to succeed? If you use DLV you are expecting anything for which DLV is used as a trust anchor to be safe from being spoofed. The *only* way this can happen is to fail if the DLV lookup fails for any reason. Mark In message 53fc7b35.6040...@redhat.com, Tomas Hozza

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

So you care enough about security to implement DNSSEC, but you run your forwarder on port 80. Interesting... - Kevin On 8/26/2014 8:19 AM, Tomas Hozza wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello. I found out that

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

On Tue 26 Aug 2014 02:32:24 PM CEST, Kevin Darcy wrote: So you care enough about security to implement DNSSEC, but you run your forwarder on port 80. Interesting... - Kevin It is completely artificial setup for testing purpose only.

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/26/2014 02:27 PM, Mark Andrews wrote: Why would you expect them to succeed? Because validation using root servers and authoritative servers proved that the domain is intentionally unsecure. If you use DLV you are expecting anything for

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

In message 53fc827e.7090...@redhat.com, Tomas Hozza writes: On 08/26/2014 02:27 PM, Mark Andrews wrote: Why would you expect them to succeed? Because validation using root servers and authoritative servers proved that the domain is intentionally unsecure. No. It only proves that there

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

On Tue 26 Aug 2014 03:07:22 PM CEST, Mark Andrews wrote: In message 53fc827e.7090...@redhat.com, Tomas Hozza writes: On 08/26/2014 02:27 PM, Mark Andrews wrote: Why would you expect them to succeed? Because validation using root servers and authoritative servers proved that the domain is

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 8/26/14 5:50 AM, Tomas Hozza wrote: | On 08/26/2014 02:27 PM, Mark Andrews wrote: | Why would you expect them to succeed? | | Because validation using root servers and authoritative servers | proved that the domain is intentionally unsecure.