-Ursprüngliche Nachricht-
Von: Evan Hunt [mailto:e...@isc.org]
On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote:
I'm just wondering, is an option like unbound's domain-insecure
intentionally not implemented in in BIND? Or did just nobody care
enough to implement
If the zone isn't signed, it shouldn't be trying to validate it as there's
nothing to validate. Unless this fictional TLD now has a real delegated
counter-part?
Stuart
Just for clarification:
If a TLD does not exist, it can neither be signed nor unsigned.
And, officially, the mentioned TLD
Unfortunately we can't sign the fictional TLD, since we are neither master
nor slave of the zone.
We are just forwarding our queries to a foreign authorative Server.
Grüße,
Stefan
If the zone isn't signed, it shouldn't be trying to validate it as there's
nothing to validate. Unless this
NSEC.
W
On Wed, Jan 14, 2015 at 5:12 PM, Stuart Browne
stuart.bro...@bomboratech.com.au wrote:
Unfortunately we can't sign the fictional TLD, since we are neither master
nor slave of the zone.
We are just forwarding our queries to a foreign authorative Server.
Grüße,
Stefan
If the zone
On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote:
I'm just wondering, is an option like unbound's domain-insecure
intentionally not implemented in in BIND? Or did just nobody care
enough to implement it yet?
I have resisted implementing it because it's too easy for an operator to
DNSSEC Validation for selected Domains
On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote:
I'm just wondering, is an option like unbound's domain-insecure
intentionally not implemented in in BIND? Or did just nobody care
enough to implement it yet?
I have resisted implementing
On 14/01/2015 09:34, stefan.las...@t-systems.com wrote:
Our customer uses a fictional Toplevel Domain[...]
Can you flip the problem on its head, by signing the fictional TLD and
deploying managed-keys (or trusted-keys) on the validating resolvers?
Graham
Hi Chris,
While you wait for this to become generally available, you can do what I like
to do for my customers: Use two layers of recursive DNS servers. The first
layer takes queries from clients, knows about your insecure domains
(through stub zones, slave zones, or conditional
Hi Daniel,
You may also try to disable all DNSSEC algorithms for a zone:
https://lists.dns-oarc.net/pipermail/dns-operations/2014-October/012282.html
Regards,
Daniel
Also a nice idea for a workaround :) But it did not work for me.
This is what I tried:
Options {
Our customer uses a fictional Toplevel Domain[...]
Can you flip the problem on its head, by signing the fictional TLD and
deploying managed-keys (or trusted-keys) on the validating resolvers?
Graham
Unfortunately we can't sign the fictional TLD, since we are neither master nor
slave of
On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote:
I know that BIND has no feature to disable DNSSEC validation for selected
Zones/Domains (when working as a recursor).
One can only enable/disable DNSSEC validation globally per view (as a boolean
on/off).
[...]
I'm just
Hello Stefan
You may also try to disable all DNSSEC algorithms for a zone:
https://lists.dns-oarc.net/pipermail/dns-operations/2014-October/012282.html
Regards,
Daniel
On 13.01.15 14:53, stefan.las...@t-systems.com wrote:
Hi Mukund
and thanks a lot for pointing that out!
It is already
Hi @all,
I know that BIND has no feature to disable DNSSEC validation for selected
Zones/Domains (when working as a recursor).
One can only enable/disable DNSSEC validation globally per view (as a boolean
on/off).
I found that Microsoft's DNS Server has a feature to skip the validation
Hi Stefen
On Tue, Jan 13, 2015 at 11:35:26AM +0100, stefan.las...@t-systems.com wrote:
Some of the internal Domains of our customers will fail the
proof-of-non-existence. While this is technically correct, we still
need access to their internal Domain to do our business... So the
current
Hi Mukund
and thanks a lot for pointing that out!
It is already more than I was hoping for :)
Regards,
Stefan
BIND will get support for negative trust anchors in 9.11, which will provide
the feature that you seek. An implementation is now in the master branch.
stefan.las...@t-systems.com stefan.las...@t-systems.com wrote:
I know that BIND has no feature to disable DNSSEC validation for
selected Zones/Domains (when working as a recursor).
BIND 9.11 will have negative trust anchors.
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
Fair
16 matches
Mail list logo