disable dnssec in bind resolver

Alan Clegg aclegg at isc.org
Fri Jun 4 18:16:05 UTC 2010


On 6/4/2010 1:52 PM, R. Kevin Oberman wrote:

> First, dns-validation is 'off' by default in all BIND versions. It's
> dnssec-enable that started defaulting to 'yes'.

No, it isn't.  The only reason that dnssec-validation appears "off" is
that without trust anchors, it doesn't do anything.  Insert a trust
anchor and you validate, even without "dnssec-validation yes;" in your
configuration.

Really.

> Second, your firewall is simply broken. You will continue to have
> problems with DNS until you fix/replace it. I have not seen a recent
> firewall broken in this manner for a while, but this was quite common
> a couple of years ago.

100% agreed.

> For the moment, turning off dnssec-enable is probably your best hope,
> but it's not a fix and you are likeky to see continuing problems on a
> smaller scale until the firewall is fixed.

Yep.

AlanC

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100604/e3e3ebc2/attachment.bin>


More information about the bind-users mailing list