> On 27 Sep 2022, at 00:58, Benny Pedersen wrote:
>
> Bjørn Mork skrev den 2022-09-26 08:50:
>> Petr Špaček writes:
>>> named.conf statement 'dnssec-enabled yes;' allows forwarding DNSSEC
>>> signatures (and other metadata) without validating them.
>>> named.conf statement 'dnssec-validation
Nick Tait via bind-users skrev den 2022-09-26 23:50:
On 27/09/2022 3:58 am, Benny Pedersen wrote:
imho dnssec-validation auto; have a bug as it validates domains
without DS set
hope bind developpers can confirm or deny it
Hi Benny.
Until DS records are published in the parent zone, the
On 27/09/2022 3:58 am, Benny Pedersen wrote:
imho dnssec-validation auto; have a bug as it validates domains
without DS set
hope bind developpers can confirm or deny it
Hi Benny.
Until DS records are published in the parent zone, the (signed) zone is
considered 'insecure', and validation
> On Sep 24, 2022, at 3:20 AM, Bjørn Mork wrote:
>
> Philip Prindeville writes:
>
>> How many ISP's squelch DNSSEC like that? I hope it's not a common practice!
>
> More common than you'd like to think. See Geoff's excellent world map
> at https://stats.labs.apnic.net/dnssec
>
> Note
Bjørn Mork skrev den 2022-09-26 08:50:
Petr Špaček writes:
named.conf statement 'dnssec-enabled yes;' allows forwarding DNSSEC
signatures (and other metadata) without validating them.
named.conf statement 'dnssec-validation auto;' then enables DNSSEC
validation itself.
In other words, it is
On 26. 09. 22 9:15, sth...@nethelp.no wrote:
Please allow me to correct this:
named.conf statement 'dnssec-enabled yes;' allows forwarding DNSSEC
signatures (and other metadata) without validating them.
Slight problem here: My 9.18.5 named doesn't know about dnssec-enabled:
Sep 26 09:00:51
> Please allow me to correct this:
>
> named.conf statement 'dnssec-enabled yes;' allows forwarding DNSSEC
> signatures (and other metadata) without validating them.
Slight problem here: My 9.18.5 named doesn't know about dnssec-enabled:
Sep 26 09:00:51 xxx named[38797]:
Petr Špaček writes:
> named.conf statement 'dnssec-enabled yes;' allows forwarding DNSSEC
> signatures (and other metadata) without validating them.
>
> named.conf statement 'dnssec-validation auto;' then enables DNSSEC
> validation itself.
>
> In other words, it is possible to allow DNSSEC to
On 24. 09. 22 11:20, Bjørn Mork wrote:
Philip Prindeville writes:
How many ISP's squelch DNSSEC like that? I hope it's not a common practice!
More common than you'd like to think. See Geoff's excellent world map
at https://stats.labs.apnic.net/dnssec
Note that no validation implies no
Sandro writes:
> On 24-09-2022 11:20, Bjørn Mork wrote:
>> Philip Prindeville writes:
>>
>>> How many ISP's squelch DNSSEC like that? I hope it's not a common
>>> practice!
>> More common than you'd like to think. See Geoff's excellent world
>> map at https://stats.labs.apnic.net/dnssec
>
>
On 24-09-2022 11:20, Bjørn Mork wrote:
Philip Prindeville writes:
How many ISP's squelch DNSSEC like that? I hope it's not a common
practice!
More common than you'd like to think. See Geoff's excellent world
map at https://stats.labs.apnic.net/dnssec
Thank you for sharing this. Is there
Philip Prindeville writes:
> How many ISP's squelch DNSSEC like that? I hope it's not a common practice!
More common than you'd like to think. See Geoff's excellent world map
at https://stats.labs.apnic.net/dnssec
Note that no validation implies no signatures for downstream resolvers.
Which
On 23-09-2022 18:54, Philip Prindeville wrote:
Anyway, I suggested that they standup a second pair of DNS servers,
this time with DNSSEC enabled, and let their customers decide if
streaming is more important than security. Waiting to hear back...
How many ISP's squelch DNSSEC like that? I
Hi all,
I was seeing a lot of noise about RRSIG's using the Sparklight name servers
dns1.cableonet.net and c1dns.cableone.net, like this:
Sep 23 10:44:24 OpenWrt3 named[28113]: validating net/SOA: got insecure
response; parent indicates it should be secure
Sep 23 10:44:24 OpenWrt3
14 matches
Mail list logo
