disable dnssec in bind resolver
R. Kevin Oberman
oberman at es.net
Fri Jun 4 17:52:00 UTC 2010
This thread has gotten bogged down in silliness. (Not referring to Paul's message).
First, dns-validation is 'off' by default in all BIND versions. It's dnssec-enable that started defaulting to 'yes'.
Second, your firewall is simply broken. You will continue to have problems with DNS until you fix/replace it. I have not seen a recent firewall broken in this manner for a while, but this was quite common a couple of years ago.
For the moment, turning off dnssec-enable is probably your best hope, but it's not a fix and you are likeky to see continuing problems on a smaller scale until the firewall is fixed.
Sent from my Treo:
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
E. O. Lawrence Berkeley National Laboratory (LBNL)
oberman at es.net +1 510-486-8634
-----Original Message-----
From: Paul Wouters <paul at xelerance.com>
Date: Friday, Jun 4, 2010 9:20 am
Subject: Re: disable dnssec in bind resolver
To: Evan Hunt <each at isc.org>
CC: bind-users at lists.isc.org
On Fri, 4 Jun 2010, Evan Hunt wrote:
> I'm pretty sure "dnssec-enable no" does suppress the DO bit. If it
doesn't, that's probably a bug.
Yeah, I thought the default changed when all those NAT routers proved buggy.
> If it doesn't, though, try "edns no". You can't have a DO bit if you
don't have a place to put one.
This seems a bit like "my left leg hurts, so i stabbed my right leg".
> And, fix the broken firewall as soon as possible. :)
Now that is solid advise :)
Paul
_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list