DNSSEC ISSUE (Msg: Request is not signed)

Mark Andrews Mark_Andrews at isc.org
Mon Jul 16 06:48:36 UTC 2007

> On Sat, 14 Jul 2007, Mark Andrews wrote:
> >       Auth servers don't have to set "ad" when responding. Named does
> >       no crypto validation when answering from authoritative data.
> >
> >       Workarounds are to use a recursion-only view.
> Which is exactly what I do; my authoratative nameservers have a
> non-authoratative, resolving view listening on the loopback interface
> that does do the crypto validatation so that OpenSSH can get validated
> fingerprints.
> I'm curious as to why this is set up this way, though. Wouldn't it make
> sense that authoratative servers, when loading or fetching the zone
> file, validate the data when loaded and then return responses with the
> AD bit set?

	Try that with a very large zone :-)

	It may be possible to do just in time validation.  We
	do this for pending NS RRsets when returning answers
	from the cache.
	BIND 9.4 needs both dnssec-enable yes; and dnssec-validate yes;.
> cjs
> -- 
> Curt Sampson         <cjs at cynic.net>         +81 90 7737 2974
>               http://www.starling-software.com
> The power of accurate observation is commonly called cynicism
> by those who have not got it.    --George Bernard Shaw
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list