On Apr 15 2010, Roy Badami wrote:
Actually there *is* DNSSEC involved or the query would not have
failed.
Yes, sorry. I meant to imply that there is no DNSSEC involved beyond
the verification of the covering NSEC that proves the lack of a DLV
record.
There is a bug in the BIND 9.7.0-P1 fixe
> Actually there *is* DNSSEC involved or the query would not have
> failed.
Yes, sorry. I meant to imply that there is no DNSSEC involved beyond
the verification of the covering NSEC that proves the lack of a DLV
record.
> There is a bug in the BIND 9.7.0-P1 fixes that triggers this. The
> fix
In message <20100414232855.gp1...@giles.gnomon.org.uk>, Roy Badami writes:
> > Well, FWIW I upgraded to 9.7.0-P1 and tried enabling DLV again and
> > I've seen no repeat of the DNSSEC name resolution issues so far; it's
> > early days yet (only been running DLV for three days) but certainly
> > lo
> > dig www.bbc.net.uk +cd
>
> How does the last query "work"?
What I meant by that, in case it wasn't clear, was that setting the CD
flag in the query caused it query to succeed, hence strongly
suggesting that the cause of the failure in the original query was
related to DNSSEC
On 04/14/10 16:28, Roy Badami wrote:
Well, FWIW I upgraded to 9.7.0-P1 and tried enabling DLV again and
I've seen no repeat of the DNSSEC name resolution issues so far; it's
early days yet (only been running DLV for three days) but certainly
looking promissing.
I spoke too soon. I've now found
> Well, FWIW I upgraded to 9.7.0-P1 and tried enabling DLV again and
> I've seen no repeat of the DNSSEC name resolution issues so far; it's
> early days yet (only been running DLV for three days) but certainly
> looking promissing.
I spoke too soon. I've now found a query that (at least this eve
On Sun, Mar 28, 2010 at 11:48:37PM +0100, I wrote:
> A couple of weeks ago I upgraded my BINDs to 9.7.0 and enabled DLV.
>
> This is my first time attemting to validate DNSSEC; however, I've been
> seeing intermittent failures to resolve domains under .org which have
> been frequent enough to forc
In article ,
Roy Badami wrote:
> > I have seen this happen when bind for some reason (eg mtu issues with
> > vpn) cannot query for the DLV key at dlv.isc.org. I have not figured
> > out the exact failure mode there. Check the logs to see errors for DNSKEY
> > queries for dlv.isc.org to see if th
> > I have seen this happen when bind for some reason (eg mtu issues with
> > vpn) cannot query for the DLV key at dlv.isc.org. I have not figured
> > out the exact failure mode there. Check the logs to see errors for DNSKEY
> > queries for dlv.isc.org to see if this is happening here too. However
> I have seen this happen when bind for some reason (eg mtu issues with
> vpn) cannot query for the DLV key at dlv.isc.org. I have not figured
> out the exact failure mode there. Check the logs to see errors for DNSKEY
> queries for dlv.isc.org to see if this is happening here too. However in
> tha
> > Yes, I agree freebsd.org is insecure, but I still want to be able to
> > resolve it :-)
>
> The point was, you should not be getting DNSSEC-related errors from
> a domain that is not secured.
I disagree. In order for a validating resolver to resolve freebsd.org
(or any other insecure domain
On Mon, 29 Mar 2010, Matthew Pounsett wrote:
On 2010/03/28, at 18:48, Roy Badami wrote:
configured). The queries are resulting in SERVFAIL, and I'm pretty
sure the failures are DNSSEC-related, as when I've seen problems as
they occur (dig failing from the command line) then repeating the
quer
On 2010/03/29, at 06:04, Roy Badami wrote:
>
>> It looks to me like your example, freebsd.org, is insecure.
>
> Yes, I agree freebsd.org is insecure, but I still want to be able to
> resolve it :-)
The point was, you should not be getting DNSSEC-related errors from a domain
that is not secu
> It looks to me like your example, freebsd.org, is insecure.
Yes, I agree freebsd.org is insecure, but I still want to be able to
resolve it :-)
.org is signed with NSEC3 and (I think, but could be misremembering)
is using opt-out. org is registered in DLV, so BIND still has to do
some work
On 2010/03/28, at 18:48, Roy Badami wrote:
> configured). The queries are resulting in SERVFAIL, and I'm pretty
> sure the failures are DNSSEC-related, as when I've seen problems as
> they occur (dig failing from the command line) then repeating the
> query with the CD bit allowed it to succeed.
A couple of weeks ago I upgraded my BINDs to 9.7.0 and enabled DLV.
This is my first time attemting to validate DNSSEC; however, I've been
seeing intermittent failures to resolve domains under .org which have
been frequent enough to force me to disable DLV again (hence
effectively disabling DNSSEC
16 matches
Mail list logo
