Re: Force Bind caching resolver to always obey DNSSSEC

2010-10-02 Thread lst_hoe02
Zitat von Barry Margolin bar...@alum.mit.edu: In article mailman.265.1285967251.555.bind-us...@lists.isc.org, lst_ho...@kwsoft.de wrote: Zitat von Alan Clegg acl...@isc.org: On 10/1/2010 4:50 PM, lst_ho...@kwsoft.de wrote: Sorry for being unclear. We want the SERVFAIL as it should be for

Re: Force Bind caching resolver to always obey DNSSSEC

2010-10-02 Thread Phil Mayers
On 10/02/2010 10:01 AM, lst_ho...@kwsoft.de wrote: So the problem are not resolvers unaware of DNSSEC but resolvers with inappropriate defaults or configured wrong by accident. Additionally this problem is not easy detectable as it can occur far downstream. So i would say it is a valid concern

Force Bind caching resolver to always obey DNSSSEC

2010-10-01 Thread lst_hoe02
Hello after the root zones are now DNSSEC signed we like to use DNSSEC at our caching resolvers. I have setup Bind 9.7.0-P1-1 at the border and basically it is working fine. What i have not managed is to alwawys force obeying DNSSEC signed zones for resolving eg. if i use dig +cdflag

Re: Force Bind caching resolver to always obey DNSSSEC

2010-10-01 Thread Alan Clegg
On 10/1/2010 4:26 PM, lst_ho...@kwsoft.de wrote: Hello after the root zones are now DNSSEC signed we like to use DNSSEC at our caching resolvers. I have setup Bind 9.7.0-P1-1 at the border and basically it is working fine. What i have not managed is to alwawys force obeying DNSSEC signed

Re: Force Bind caching resolver to always obey DNSSSEC

2010-10-01 Thread lst_hoe02
Zitat von Alan Clegg acl...@isc.org: On 10/1/2010 4:26 PM, lst_ho...@kwsoft.de wrote: Hello after the root zones are now DNSSEC signed we like to use DNSSEC at our caching resolvers. I have setup Bind 9.7.0-P1-1 at the border and basically it is working fine. What i have not managed is to

Re: Force Bind caching resolver to always obey DNSSSEC

2010-10-01 Thread Alan Clegg
On 10/1/2010 4:50 PM, lst_ho...@kwsoft.de wrote: Sorry for being unclear. We want the SERVFAIL as it should be for invalid DNSSEC data *in all cases* eg. even if a client ask with the cdflag (checking disable) set. CD means don't check, so you can't by definition. AlanC signature.asc

Re: Force Bind caching resolver to always obey DNSSSEC

2010-10-01 Thread lst_hoe02
Zitat von Alan Clegg acl...@isc.org: On 10/1/2010 4:50 PM, lst_ho...@kwsoft.de wrote: Sorry for being unclear. We want the SERVFAIL as it should be for invalid DNSSEC data *in all cases* eg. even if a client ask with the cdflag (checking disable) set. CD means don't check, so you can't by

Re: Force Bind caching resolver to always obey DNSSSEC

2010-10-01 Thread Barry Margolin
In article mailman.265.1285967251.555.bind-us...@lists.isc.org, lst_ho...@kwsoft.de wrote: Zitat von Alan Clegg acl...@isc.org: On 10/1/2010 4:50 PM, lst_ho...@kwsoft.de wrote: Sorry for being unclear. We want the SERVFAIL as it should be for invalid DNSSEC data *in all cases* eg.