disable dnssec in bind resolver
Evan Hunt
each at isc.org
Fri Jun 4 16:00:13 UTC 2010
On Fri, Jun 04, 2010 at 05:36:21PM +0200, Jan Buchholz wrote:
> i mean the parameter is the default.
Actually, since 9.5.0, the default has been "dnssec-validation yes".
(Note, however, that DNSSEC validation doesn't occur unless the resolver
has a trust anchor configured. So you there has to be a "trusted-keys"
statement, a "managed-keys statement", or the "dnssec-lookaside auto"
option, or your resolver won't validate.)
Unfortunately, turning off validation won't help. A non-validating
recursive resolver still sets the DO bit--all that bit means is
"go ahead and send me DNSSEC data, it won't hurt me").
I'm pretty sure "dnssec-enable no" does suppress the DO bit. If it
doesn't, that's probably a bug.
If it doesn't, though, try "edns no". You can't have a DO bit if you
don't have a place to put one.
And, fix the broken firewall as soon as possible. :)
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list