Thanks @all, sorry i was out of office yesterday. I'll discuss the
issue this week on the german Linux Tag in Berlin.
What your meaning off firewalls, who looks into packets and block them
if the filter don´t know a flag.
First i´ve fixed the problem with edns no;
Jan
On Jun 8, 2010, at 6:26 AM, Jan Buchholz wrote:
Thanks @all, sorry i was out of office yesterday. I'll discuss the
issue this week on the german Linux Tag in Berlin.
What your meaning off firewalls, who looks into packets and block them
if the filter don´t know a flag.
Some high security
In message d7c8ada3-f213-4ae9-9fbe-8d613d97d...@kumari.net, Warren Kumari wri
tes:
On Jun 8, 2010, at 6:26 AM, Jan Buchholz wrote:
Thanks @all, sorry i was out of office yesterday. I'll discuss the
issue this week on the german Linux Tag in Berlin.
What your meaning off firewalls, who
The DO bit is always set whenever the server includes an EDNS OPT RR
(I thought it was based on the specification, but don't remember which
sentence of which RFC says so).
I was taken aback to read this, because I remembered seeing code in named
that clears the DO bit if dnssec-enable is no:
In message 4c09c562.7030...@dougbarton.us, Doug Barton writes:
Ok, so my guess as to ISC's motivations was pretty much on the mark, and
speaking with my Guy who loves the Internet and wants to see things
work better for everybody hat on, I am totally in agreement. That's why
I said I
On Fri, Jun 4, 2010 at 11:32 PM, Doug Barton do...@dougbarton.us wrote:
With my business hat on though I can see at least 2 possible use cases for
DO=0. The first being related to this thread, I can't/won't fix/remove the
firewall today, I just want my resolver to work. The hapless user in
On 06/04/10 21:58, Paul Vixie wrote:
Doug Bartondo...@dougbarton.us writes:
With my business hat on though I can see at least 2 possible use cases for
DO=0. The first being related to this thread, I can't/won't fix/remove the
firewall today, I just want my resolver to work.
it works. it's
On 06/05/10 07:22, Mark Andrews wrote:
In message4c09c562.7030...@dougbarton.us, Doug Barton writes:
The resolver works. It figures out that it can't make the new style
queries and falls back to the old style queries. If the user is really
worried they can turn off EDNS and with that DO.
In message 201006060107.o5617ep4091...@drugs.dv.isc.org, Mark Andrews writes:
In message 4c0aad2a.4010...@dougbarton.us, Doug Barton writes:
On 06/05/10 07:22, Mark Andrews wrote:
In message4c09c562.7030...@dougbarton.us, Doug Barton writes:
The resolver works. It figures out that
hello together,
how i can disable dnssec in the bind resolver ? My firewall don´t let
packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but
this don´t fix the problem.
Thanks,
Jan
___
bind-users mailing list
bind-users@lists.isc.org
https
On Fri, 4 Jun 2010, Jan Buchholz wrote:
how i can disable dnssec in the bind resolver ? My firewall don´t let
packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but
this don´t fix the problem.
I believe that only disables *serving* DNSSEC records.
I think you want 'dnssec
2010/6/4 Paul Wouters p...@xelerance.com:
On Fri, 4 Jun 2010, Jan Buchholz wrote:
how i can disable dnssec in the bind resolver ? My firewall don´t let
packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but
this don´t fix the problem.
I believe that only disables *serving
: disable dnssec in bind resolver
2010/6/4 Paul Wouters p...@xelerance.com:
On Fri, 4 Jun 2010, Jan Buchholz wrote:
how i can disable dnssec in the bind resolver ? My firewall don´t let
packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but
this don´t fix the problem.
I believe
On Fri, Jun 04, 2010 at 05:36:21PM +0200, Jan Buchholz wrote:
i mean the parameter is the default.
Actually, since 9.5.0, the default has been dnssec-validation yes.
(Note, however, that DNSSEC validation doesn't occur unless the resolver
has a trust anchor configured. So you there has to be a
If it doesn't, though, try edns no. You can't have a DO bit if you
don't have a place to put one.
This seems a bit like my left leg hurts, so i stabbed my right leg.
Exactly. Now you aren't lopsided.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
, 2010 9:20 am
Subject: Re: disable dnssec in bind resolver
To: Evan Hunt e...@isc.org
CC: bind-users@lists.isc.org
On Fri, 4 Jun 2010, Evan Hunt wrote:
I'm pretty sure dnssec-enable no does suppress the DO bit. If it
doesn't, that's probably a bug.
Yeah, I thought the default changed when all
On 6/4/2010 1:52 PM, R. Kevin Oberman wrote:
First, dns-validation is 'off' by default in all BIND versions. It's
dnssec-enable that started defaulting to 'yes'.
No, it isn't. The only reason that dnssec-validation appears off is
that without trust anchors, it doesn't do anything. Insert a
At Fri, 4 Jun 2010 16:50:26 +0200,
Jan Buchholz 96de...@googlemail.com wrote:
how i can disable dnssec in the bind resolver ? My firewall don´t let
packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but
this don´t fix the problem.
I believe that only disables *serving
First, dns-validation is 'off' by default in all BIND versions. It's
dnssec-enable that started defaulting to 'yes'.
Correct in the sense that there are no configured trust anchors, so
validation doesn't happen.
Incorrect in the sense that the dnssec-validation option *is* turned on
by
On 06/04/10 11:19, JINMEI Tatuya / 神明達哉 wrote:
The DO bit is always set whenever the server includes an EDNS OPT RR
(I thought it was based on the specification, but don't remember which
sentence of which RFC says so).
Given that concern about whether or not it's a good idea to always send
Doug Barton do...@dougbarton.us writes:
I have a guess at why ISC would want to enable it by default, and even in
the presence of an option to turn it off I'm still Ok with that default.
But if it's not a standards requirement to have it on, giving the admin a
choice would be a welcome thing.
On 06/04/10 19:40, Paul Vixie wrote:
Doug Bartondo...@dougbarton.us writes:
I have a guess at why ISC would want to enable it by default, and even in
the presence of an option to turn it off I'm still Ok with that default.
But if it's not a standards requirement to have it on, giving the
Doug Barton do...@dougbarton.us writes:
On 06/04/10 19:40, Paul Vixie wrote:
...
unless a new IETF RFC comes along and disambiguates the meaning of DO
such that it's only to be set if the requestor thinks it has a
reasonable shot at validating the resulting metadata, i expect BIND to
keep
23 matches
Mail list logo
