Re: Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

Timothe Litt l...@acm.org wrote: There are still registrars that don't accept DNSSEC records, and a non-trivial number of domain holders can't easily switch registrars. In some cases it isn't possible to switch to a better registrar, e.g. if you need DNSSEC for your reverse DNS. So yes, there

Cannot enable GSS-TSIG updates from Active Directory

Hello guys, I’m with a problem trying to enable GSS-TSIG with BIND 9.10. Before I start describing what I’ve done, I would like to say that I’ve already done this in in another domain without any problems. So I think I’m missing something very specific. If someone would help-me debugging this

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

On 8/26/14 10:35 AM, Timothe Litt wrote: I think this is misleading, or at least poorly worded and subject to misinterpretation. I chose my words carefully, and I stand by them. I did not say that the DLV has no value, and I specifically mentioned that there are circumstances when it is

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

On 27-Aug-14 14:54, Doug Barton wrote: On 8/26/14 10:35 AM, Timothe Litt wrote: I think this is misleading, or at least poorly worded and subject to misinterpretation. I chose my words carefully, and I stand by them. The OP was asking about configuring a resolver (bind's). Where I thought

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

On 8/27/14 3:03 PM, Timothe Litt wrote: So you really meant that validating resolvers should only consult DLV if their administrator knows that users are looking-up names that are in the DLV? That's how I read your advice. You're correct. I don't see how that can work; hence we'll disagree.