Re: disable dnssec for particular domain

Matus UHLAR - fantomas wrote: > > and in case of private/internal domain even logical - it's not useful to > push DS records to parent, and even possible with 2 versions of the same > zone. You can have a secure delegation in the parent if you sign both versions of the zone

Re: disable dnssec for particular domain

On 08.02.18 19:12, Mark Andrews wrote: You break a chain of trust by proving there is a insecure delegation. that should be expected :-) and in case of private/internal domain even logical - it's not useful to push DS records to parent, and even possible with 2 versions of the same zone.

Re: disable dnssec for particular domain

You break a chain of trust by proving there is a insecure delegation. NXDOMAIN is not a delegation. The point on OPTOUT is to allow the parent zone to add and remove insecure delegations without resigning. Mark > On 7 Feb 2018, at 11:26 pm, Tony Finch wrote: > > Pruned debug

Re: disable dnssec for particular domain

Thankyou, Am 2018-02-08 hackte Warren Kumari in die Tasten: > On Wed, Feb 7, 2018 at 7:41 AM, Tony Finch wrote: >> Michelle Konzack wrote: >> >>> If someone is interested making a slave for me, I can do >>> the same with him/her/whatelse. >> >> I'm

Re: disable dnssec for particular domain

On Wed, Feb 7, 2018 at 7:41 AM, Tony Finch wrote: > Michelle Konzack wrote: > >> If someone is interested making a slave for me, I can do >> the same with him/her/whatelse. > > I'm cheap, so for my personal domains I use free secondaries from >

Re: disable dnssec for particular domain

Guten Abend, Am 2018-02-07 hackte Reindl Harald in die Tasten: > Am 07.02.2018 um 18:38 schrieb Matus UHLAR - fantomas: >> neither is possible for now. as I said, neither our customer not >> itsupstream does maintain the domain. > > i will point at that case when someone asks why i insist of be

Re: disable dnssec for particular domain

Am 07.02.2018 um 18:38 schrieb Matus UHLAR - fantomas: neither is possible for now. as I said, neither our customer not itsupstream does maintain the domain. i will point at that case when someone asks why i insist of be registrar as well as dns-provider for anything i have to deal with it

Re: disable dnssec for particular domain

Matus UHLAR - fantomas wrote: I wonder why does it do that. I have configured a zone to be type forward and expected it to work as confdigured, not be validated upstream. On 07.02.18 14:14, Tony Finch wrote: Validation is mostly independent of resolution, so even if you

Re: disable dnssec for particular domain

Matus UHLAR - fantomas wrote: > > I wonder why does it do that. I have configured a zone to be type > forward and expected it to work as confdigured, not be validated > upstream. Validation is mostly independent of resolution, so even if you configure a zone explicitly, the

Re: disable dnssec for particular domain

to the registrator. I currently see the only option to disable dnssec on the server, or upgrade to 9.11 ... but I'll upgrade the server to debian 8 (bind9.9.5) first. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address

Re: disable dnssec for particular domain

Hi there, On Wed, 7 Feb 2018, Michelle Konzack wrote: ... Note: If someone is interested making a slave for me ... Is there a reason you don't use e.g. he.net? https://dns.he.net/ They do say of DNSSEC that they are "exploring this now" but it seems to work for me. -- 73, Ged.

Re: disable dnssec for particular domain

Michelle Konzack wrote: > If someone is interested making a slave for me, I can do > the same with him/her/whatelse. I'm cheap, so for my personal domains I use free secondaries from https://puck.nether.net/dns/ and https://admin.gratisdns.com/ Tony. --

Re: disable dnssec for particular domain

Ahoi Matus, Am 2018-02-07 hackte Matus UHLAR - fantomas in die Tasten: > yes. even web whois shows no 'nameserver' information. > > the name is "testa.eu". Oi, the owner is the European Commission! It seems, they have the privileg, not to attribute Name Server to the domain. A normal

Re: disable dnssec for particular domain

Pruned debug logs... validating testa.eu/DS: looking for closest encloser validating testa.eu/DS: NSEC3 QBQ65Q6097OCPPR0EUCQNSC1FHE073UA indicates potential closest encloser: 'eu' validating testa.eu/DS: NSEC3 QBQ65Q6097OCPPR0EUCQNSC1FHE073UA at super-domain eu validating testa.eu/DS: NSEC3

Re: disable dnssec for particular domain

Matus UHLAR - fantomas wrote: > > the name is "testa.eu". OK, let's dig it (trimmed for relevance): ; <<>> DiG 9.13.0-dev <<>> +multiline +dnssec testa.eu ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39666 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8,

Re: disable dnssec for particular domain

Thanks for providing the domain name in question (testa.eu). Indeed, port 43 whois shows no nameservers - neither does the web based whois on whois.eurid.eu, though the name does exist in the 'eu' registry system. Dig gives me nothing either... $ dig testa.eu ns +short $ dig testa.eu ds +short

Re: disable dnssec for particular domain

Am 07.02.2018 um 12:12 schrieb Reindl Harald: Am 07.02.2018 um 12:07 schrieb Matus UHLAR - fantomas: On 06/02/2018 16:31, Matus UHLAR - fantomas wrote: what's the difference, when the domain doesn't exist? is it because .eu is signed? On 06.02.18 16:35, Ray Bellis wrote: Perhaps,

Re: disable dnssec for particular domain

Am 07.02.2018 um 12:07 schrieb Matus UHLAR - fantomas: On 06/02/2018 16:31, Matus UHLAR - fantomas wrote: what's the difference, when the domain doesn't exist? is it because .eu is signed? On 06.02.18 16:35, Ray Bellis wrote: Perhaps, although I'm not sure why given that .eu is signed

Re: disable dnssec for particular domain

On 06/02/2018 16:31, Matus UHLAR - fantomas wrote: what's the difference, when the domain doesn't exist? is it because .eu is signed? On 06.02.18 16:35, Ray Bellis wrote: Perhaps, although I'm not sure why given that .eu is signed with NSEC3 and opt-out. Are you *sure* that the domain

Re: disable dnssec for particular domain

Am DATE hackte AUTHOR in die Tasten: Ray Bellis > Perhaps, although I'm not sure why given that .eu is signed with NSEC3 > and opt-out.> On 06/02/2018 16:31, Matus UHLAR - fantomas wrote: > >> what's the difference, when the domain doesn't exist? >> >> is it because .eu is signed? > > Are you

Re: disable dnssec for particular domain

Hello Matus, Am 2018-02-06 hackte Matus UHLAR - fantomas in die Tasten: >>Am 2018-02-06 hackte Matus UHLAR - fantomas in die Tasten: >>> our customer uses a domain that is registered, but hidden >>> (doesn't exist in DNS). > > On 06.02.18 18:24, Michelle Konzack wrote: >>I hope you know what are

Re: disable dnssec for particular domain

On 06/02/2018 16:31, Matus UHLAR - fantomas wrote: > what's the difference, when the domain doesn't exist? > > is it because .eu is signed? Perhaps, although I'm not sure why given that .eu is signed with NSEC3 and opt-out. Are you *sure* that the domain doesn't now actually exist in the DNS?

Re: disable dnssec for particular domain

Am 2018-02-06 hackte Matus UHLAR - fantomas in die Tasten: our customer uses a domain that is registered, but hidden (doesn't exist in DNS). On 06.02.18 18:24, Michelle Konzack wrote: I hope you know what are you doing, because the DNS MUST exist! Please read the general conditions for the EU

Re: disable dnssec for particular domain

Am 06.02.2018 um 17:24 schrieb Michelle Konzack: Good evening, Am 2018-02-06 hackte Matus UHLAR - fantomas in die Tasten: Hello, our customer uses a domain that is registered, but hidden (doesn't exist in DNS). I hope you know what are you doing, because the DNS MUST exist! Please read

Re: disable dnssec for particular domain

Good evening, Am 2018-02-06 hackte Matus UHLAR - fantomas in die Tasten: > Hello, > > our customer uses a domain that is registered, but hidden > (doesn't exist in DNS). I hope you know what are you doing, because the DNS MUST exist! Please read the general conditions for the EU Domain Registry!

Re: disable dnssec for particular domain

On 06/02/2018 16:00, Matus UHLAR - fantomas wrote: our customer uses a domain that is registered, but hidden (doesn't exist in DNS). The domain is used by multiple organizations and we are required to forward lookups for the domain to foreign internal servers. The problem is, that parent

Re: disable dnssec for particular domain

Matus UHLAR - fantomas wrote: > > Is it currently possible to avoid validating this particular domain? BIND 9.11 has support for negative trust anchors, but they are supposed to be used as a temporary workaround to allow time for breakage to be fixed - you'll probably find

Re: disable dnssec for particular domain

On 06/02/2018 16:00, Matus UHLAR - fantomas wrote: > Hello, > > our customer uses a domain that is registered, but hidden > (doesn't exist in DNS). > > The domain is used by multiple organizations and we are required to forward > lookups for the domain to foreign internal servers. > > The

Re: disable dnssec for particular domain

Am 06.02.2018 um 17:00 schrieb Matus UHLAR - fantomas: our customer uses a domain that is registered, but hidden (doesn't exist in DNS). The domain is used by multiple organizations and we are required to forward lookups for the domain to foreign internal servers. The problem is, that parent

disable dnssec for particular domain

Hello, our customer uses a domain that is registered, but hidden (doesn't exist in DNS). The domain is used by multiple organizations and we are required to forward lookups for the domain to foreign internal servers. The problem is, that parent domain (.eu) indicates that the domain is to be

Re: Disable DNSSEC Validation for selected Domains

-Ursprüngliche Nachricht- Von: Evan Hunt [mailto:e...@isc.org] On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote: I'm just wondering, is an option like unbound's domain-insecure intentionally not implemented in in BIND? Or did just nobody care enough to implement

AW: AW: Disable DNSSEC Validation for selected Domains

If the zone isn't signed, it shouldn't be trying to validate it as there's nothing to validate. Unless this fictional TLD now has a real delegated counter-part? Stuart Just for clarification: If a TLD does not exist, it can neither be signed nor unsigned. And, officially, the mentioned TLD

RE: AW: Disable DNSSEC Validation for selected Domains

Unfortunately we can't sign the fictional TLD, since we are neither master nor slave of the zone. We are just forwarding our queries to a foreign authorative Server. Grüße, Stefan If the zone isn't signed, it shouldn't be trying to validate it as there's nothing to validate. Unless this

Re: AW: Disable DNSSEC Validation for selected Domains

NSEC. W On Wed, Jan 14, 2015 at 5:12 PM, Stuart Browne stuart.bro...@bomboratech.com.au wrote: Unfortunately we can't sign the fictional TLD, since we are neither master nor slave of the zone. We are just forwarding our queries to a foreign authorative Server. Grüße, Stefan If the zone

Re: Disable DNSSEC Validation for selected Domains

On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote: I'm just wondering, is an option like unbound's domain-insecure intentionally not implemented in in BIND? Or did just nobody care enough to implement it yet? I have resisted implementing it because it's too easy for an operator to

AW: Disable DNSSEC Validation for selected Domains

internally, all Documentations etc... I wouldn't be surprised if they are not even aware of the problem, yet. Regards, Stefan -Ursprüngliche Nachricht- Von: Evan Hunt [mailto:e...@isc.org] Gesendet: Mittwoch, 14. Januar 2015 09:13 An: Lasche, Stefan Cc: BIND Users Betreff: Re: Disable

Re: AW: Disable DNSSEC Validation for selected Domains

On 14/01/2015 09:34, stefan.las...@t-systems.com wrote: Our customer uses a fictional Toplevel Domain[...] Can you flip the problem on its head, by signing the fictional TLD and deploying managed-keys (or trusted-keys) on the validating resolvers? Graham

AW: Disable DNSSEC Validation for selected Domains

Hi Chris, While you wait for this to become generally available, you can do what I like to do for my customers: Use two layers of recursive DNS servers. The first layer takes queries from clients, knows about your insecure domains (through stub zones, slave zones, or conditional

AW: Disable DNSSEC Validation for selected Domains

Hi Daniel, You may also try to disable all DNSSEC algorithms for a zone: https://lists.dns-oarc.net/pipermail/dns-operations/2014-October/012282.html Regards, Daniel Also a nice idea for a workaround :) But it did not work for me. This is what I tried: Options {

AW: AW: Disable DNSSEC Validation for selected Domains

Our customer uses a fictional Toplevel Domain[...] Can you flip the problem on its head, by signing the fictional TLD and deploying managed-keys (or trusted-keys) on the validating resolvers? Graham Unfortunately we can't sign the fictional TLD, since we are neither master nor slave of

Re: Disable DNSSEC Validation for selected Domains

On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote: I know that BIND has no feature to disable DNSSEC validation for selected Zones/Domains (when working as a recursor). One can only enable/disable DNSSEC validation globally per view (as a boolean on/off). [...] I'm just

Re: Disable DNSSEC Validation for selected Domains

Hello Stefan You may also try to disable all DNSSEC algorithms for a zone: https://lists.dns-oarc.net/pipermail/dns-operations/2014-October/012282.html Regards, Daniel On 13.01.15 14:53, stefan.las...@t-systems.com wrote: Hi Mukund and thanks a lot for pointing that out! It is already

Disable DNSSEC Validation for selected Domains

Hi @all, I know that BIND has no feature to disable DNSSEC validation for selected Zones/Domains (when working as a recursor). One can only enable/disable DNSSEC validation globally per view (as a boolean on/off). I found that Microsoft's DNS Server has a feature to skip the validation

Re: Disable DNSSEC Validation for selected Domains

Hi Stefen On Tue, Jan 13, 2015 at 11:35:26AM +0100, stefan.las...@t-systems.com wrote: Some of the internal Domains of our customers will fail the proof-of-non-existence. While this is technically correct, we still need access to their internal Domain to do our business... So the current

Re: Disable DNSSEC Validation for selected Domains

Hi Mukund and thanks a lot for pointing that out! It is already more than I was hoping for :) Regards, Stefan BIND will get support for negative trust anchors in 9.11, which will provide the feature that you seek. An implementation is now in the master branch.

Re: Disable DNSSEC Validation for selected Domains

stefan.las...@t-systems.com stefan.las...@t-systems.com wrote: I know that BIND has no feature to disable DNSSEC validation for selected Zones/Domains (when working as a recursor). BIND 9.11 will have negative trust anchors. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Fair

Re: How to disable DNSSEC/EDNS for lwresd

- Original Message - In message 483759859.6291670.1398781076480.javamail.zim...@redhat.com, Tomas H ozza writes: Hi. I'm trying to disable DNSSEC/EDNS for the lwresd using the following lwresd.conf: options { directory /var/named/; dnssec-enable

How to disable DNSSEC/EDNS for lwresd

Hi. I'm trying to disable DNSSEC/EDNS for the lwresd using the following lwresd.conf: options { directory /var/named/; dnssec-enable no; dnssec-validation no; pid-file /run/named/lwresd.pid; session-keyfile /run/named/session.key; }; lwres

Re: How to disable DNSSEC/EDNS for lwresd

In message 483759859.6291670.1398781076480.javamail.zim...@redhat.com, Tomas H ozza writes: Hi. I'm trying to disable DNSSEC/EDNS for the lwresd using the following lwresd.conf: options { directory /var/named/; dnssec-enable no; dnssec-validation no; pid

Disable DNSSEC

My DNS appliances are not well-suited for this yet, so I want to disable DNSSEC for my for domain. Anyone know the proper steps to take and what order if there is any order? I have a DS record in my parent domain. Do I need to remove that first? Thanks in advance. Eric

Re: Disable DNSSEC

On 01/07/2014 05:01 PM, Eric Davis wrote: My DNS appliances are not well-suited for this yet, so I want to disable DNSSEC for my for domain. Anyone know the proper steps to take and what order if there is any order? I have a DS record in my parent domain. Do I need to remove that first

RE: Disable DNSSEC

@lists.isc.org [mailto:bind-users-bounces+eric=rockefeller@lists.isc.org] On Behalf Of Georg Kahest Sent: Tuesday, January 07, 2014 10:12 AM To: bind-users@lists.isc.org Subject: Re: Disable DNSSEC On 01/07/2014 05:01 PM, Eric Davis wrote: My DNS appliances are not well-suited for this yet, so I

Re: Disable DNSSEC

On Tue, Jan 07, 2014 at 04:24:31PM +, Eric Davis wrote: So I guess my DS record has the same TTL as my default TTL for my records? My default is 8 hours, so if I wait 8 hours after I remove the DS from my parent zone then I should be ok? My parent zone is a TLD(.edu). The DS record is

RE: Disable DNSSEC

Subject: Re: Disable DNSSEC On Tue, Jan 07, 2014 at 04:24:31PM +, Eric Davis wrote: So I guess my DS record has the same TTL as my default TTL for my records? My default is 8 hours, so if I wait 8 hours after I remove the DS from my parent zone then I should be ok? My parent zone is a TLD(.edu

Re: Disable DNSSEC

On Tue, Jan 07, 2014 at 04:34:27PM +, Eric Davis wrote: Duh...silly mistake...I did a DIG on the NS record..Once the DS record is removed DNS queries should work fine right? Thanks Bill. Once the DS record is removed from the .edu zone, queriers won't expect your zone to be signed any

Re: Disable DNSSEC

Once the DS record is removed from the .edu zone, queriers won't expect your zone to be signed any more. At that point, you can leave it signed or remove the signatures, and it won't make any difference. You just need to wait at least 24 hours from the time the record disappears from the

RE: Is there a way to disable dnssec validation for a single zone?

dnssec validation for a single zone? Hello, Is there a way to disable dnssec validation for a single zone? The people who run the dns for ojp.usdoj.gov have broken dnssec. Usdoj.gov delegates ojp.usdoj.gov and has a DS record for ojp.usdoj.gov. Ojp.usdoj.gov is unsigned, and has no corresponding

Re: Is there a way to disable dnssec validation for a single zone?

On Aug 5 2011, Mark Andrews wrote: In message ca603693.38da5%ron.dod...@lmco.com, Dodson, Ron writes: Hello, Is there a way to disable dnssec validation for a single zone? No. Without wanting to argue about whether it would be appropriate to use such a mechanism (if it existed

Is there a way to disable dnssec validation for a single zone?

Hello, Is there a way to disable dnssec validation for a single zone? The people who run the dns for ojp.usdoj.gov have broken dnssec. Usdoj.gov delegates ojp.usdoj.gov and has a DS record for ojp.usdoj.gov. Ojp.usdoj.gov is unsigned, and has no corresponding dnskey record, so validation

Re: Is there a way to disable dnssec validation for a single zone?

In message ca603693.38da5%ron.dod...@lmco.com, Dodson, Ron writes: Hello, Is there a way to disable dnssec validation for a single zone? No. The people wh o run the dns for ojp.usdoj.gov have broken dnssec. Usdoj.gov delegates ojp. usdoj.gov and has a DS record for ojp.usdoj.gov

need to disable dnssec for pseudo TLD zone

to disable dnssec validation on a per-zone basis for internal pseudo TLDs? Antonio Querubin 808-545-5282 x3003 e-mail/xmpp: t...@lava.net ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: disable dnssec in bind resolver

Thanks @all, sorry i was out of office yesterday. I'll discuss the issue this week on the german Linux Tag in Berlin. What your meaning off firewalls, who looks into packets and block them if the filter don´t know a flag. First i´ve fixed the problem with edns no; Jan

Re: disable dnssec in bind resolver

On Jun 8, 2010, at 6:26 AM, Jan Buchholz wrote: Thanks @all, sorry i was out of office yesterday. I'll discuss the issue this week on the german Linux Tag in Berlin. What your meaning off firewalls, who looks into packets and block them if the filter don´t know a flag. Some high security

Re: disable dnssec in bind resolver

In message d7c8ada3-f213-4ae9-9fbe-8d613d97d...@kumari.net, Warren Kumari wri tes: On Jun 8, 2010, at 6:26 AM, Jan Buchholz wrote: Thanks @all, sorry i was out of office yesterday. I'll discuss the issue this week on the german Linux Tag in Berlin. What your meaning off firewalls, who

Re: disable dnssec in bind resolver

The DO bit is always set whenever the server includes an EDNS OPT RR (I thought it was based on the specification, but don't remember which sentence of which RFC says so). I was taken aback to read this, because I remembered seeing code in named that clears the DO bit if dnssec-enable is no:

Re: disable dnssec in bind resolver

In message 4c09c562.7030...@dougbarton.us, Doug Barton writes: Ok, so my guess as to ISC's motivations was pretty much on the mark, and speaking with my Guy who loves the Internet and wants to see things work better for everybody hat on, I am totally in agreement. That's why I said I

Re: disable dnssec in bind resolver

On Fri, Jun 4, 2010 at 11:32 PM, Doug Barton do...@dougbarton.us wrote: With my business hat on though I can see at least 2 possible use cases for DO=0. The first being related to this thread, I can't/won't fix/remove the firewall today, I just want my resolver to work. The hapless user in

Re: disable dnssec in bind resolver

On 06/04/10 21:58, Paul Vixie wrote: Doug Bartondo...@dougbarton.us writes: With my business hat on though I can see at least 2 possible use cases for DO=0. The first being related to this thread, I can't/won't fix/remove the firewall today, I just want my resolver to work. it works. it's

Re: disable dnssec in bind resolver

On 06/05/10 07:22, Mark Andrews wrote: In message4c09c562.7030...@dougbarton.us, Doug Barton writes: The resolver works. It figures out that it can't make the new style queries and falls back to the old style queries. If the user is really worried they can turn off EDNS and with that DO.

Re: disable dnssec in bind resolver

In message 201006060107.o5617ep4091...@drugs.dv.isc.org, Mark Andrews writes: In message 4c0aad2a.4010...@dougbarton.us, Doug Barton writes: On 06/05/10 07:22, Mark Andrews wrote: In message4c09c562.7030...@dougbarton.us, Doug Barton writes: The resolver works. It figures out that

disable dnssec in bind resolver

hello together, how i can disable dnssec in the bind resolver ? My firewall don´t let packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but this don´t fix the problem. Thanks, Jan ___ bind-users mailing list bind-users@lists.isc.org https

Re: disable dnssec in bind resolver

On Fri, 4 Jun 2010, Jan Buchholz wrote: how i can disable dnssec in the bind resolver ? My firewall don´t let packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but this don´t fix the problem. I believe that only disables *serving* DNSSEC records. I think you want 'dnssec

Re: disable dnssec in bind resolver

2010/6/4 Paul Wouters p...@xelerance.com: On Fri, 4 Jun 2010, Jan Buchholz wrote: how i can disable dnssec in the bind resolver ? My firewall don´t let packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but this don´t fix the problem. I believe that only disables *serving

RE: disable dnssec in bind resolver

: disable dnssec in bind resolver 2010/6/4 Paul Wouters p...@xelerance.com: On Fri, 4 Jun 2010, Jan Buchholz wrote: how i can disable dnssec in the bind resolver ? My firewall don´t let packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but this don´t fix the problem. I believe

Re: disable dnssec in bind resolver

On Fri, Jun 04, 2010 at 05:36:21PM +0200, Jan Buchholz wrote: i mean the parameter is the default. Actually, since 9.5.0, the default has been dnssec-validation yes. (Note, however, that DNSSEC validation doesn't occur unless the resolver has a trust anchor configured. So you there has to be a

Re: disable dnssec in bind resolver

If it doesn't, though, try edns no. You can't have a DO bit if you don't have a place to put one. This seems a bit like my left leg hurts, so i stabbed my right leg. Exactly. Now you aren't lopsided. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc.

Re: disable dnssec in bind resolver

, 2010 9:20 am Subject: Re: disable dnssec in bind resolver To: Evan Hunt e...@isc.org CC: bind-users@lists.isc.org On Fri, 4 Jun 2010, Evan Hunt wrote: I'm pretty sure dnssec-enable no does suppress the DO bit. If it doesn't, that's probably a bug. Yeah, I thought the default changed when all

Re: disable dnssec in bind resolver

On 6/4/2010 1:52 PM, R. Kevin Oberman wrote: First, dns-validation is 'off' by default in all BIND versions. It's dnssec-enable that started defaulting to 'yes'. No, it isn't. The only reason that dnssec-validation appears off is that without trust anchors, it doesn't do anything. Insert a

Re: disable dnssec in bind resolver

At Fri, 4 Jun 2010 16:50:26 +0200, Jan Buchholz 96de...@googlemail.com wrote: how i can disable dnssec in the bind resolver ? My firewall don´t let packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but this don´t fix the problem. I believe that only disables *serving

Re: disable dnssec in bind resolver

First, dns-validation is 'off' by default in all BIND versions. It's dnssec-enable that started defaulting to 'yes'. Correct in the sense that there are no configured trust anchors, so validation doesn't happen. Incorrect in the sense that the dnssec-validation option *is* turned on by

Re: disable dnssec in bind resolver

On 06/04/10 11:19, JINMEI Tatuya / 神明達哉 wrote: The DO bit is always set whenever the server includes an EDNS OPT RR (I thought it was based on the specification, but don't remember which sentence of which RFC says so). Given that concern about whether or not it's a good idea to always send

Re: disable dnssec in bind resolver

Doug Barton do...@dougbarton.us writes: I have a guess at why ISC would want to enable it by default, and even in the presence of an option to turn it off I'm still Ok with that default. But if it's not a standards requirement to have it on, giving the admin a choice would be a welcome thing.

Re: disable dnssec in bind resolver

On 06/04/10 19:40, Paul Vixie wrote: Doug Bartondo...@dougbarton.us writes: I have a guess at why ISC would want to enable it by default, and even in the presence of an option to turn it off I'm still Ok with that default. But if it's not a standards requirement to have it on, giving the

Re: disable dnssec in bind resolver

Doug Barton do...@dougbarton.us writes: On 06/04/10 19:40, Paul Vixie wrote: ... unless a new IETF RFC comes along and disambiguates the meaning of DO such that it's only to be set if the requestor thinks it has a reasonable shot at validating the resulting metadata, i expect BIND to keep